Drill: Inspect and Manage the ARP Table

Goal

Inspect the ARP table to verify MAC-to-IP mappings, detect anomalies, and understand local network neighbor resolution.

Setup

• Linux system with iproute2 installed
• Network connectivity to a local subnet
• Root access for modifying entries

Commands

Show the ARP/neighbor table:

ip neigh show

Filter by interface:

ip neigh show dev eth0

Filter by state:

ip neigh show nud reachable
ip neigh show nud stale
ip neigh show nud failed

Look up a specific neighbor:

ip neigh show to 10.0.0.1

Force an ARP resolution:

ping -c 1 10.0.0.5 && ip neigh show to 10.0.0.5

Add a static ARP entry:

ip neigh add 10.0.0.99 lladdr 00:11:22:33:44:55 dev eth0 nud permanent

Delete an ARP entry:

ip neigh del 10.0.0.99 dev eth0

Flush the ARP cache for an interface:

ip neigh flush dev eth0

What to Look For

• REACHABLE means recently confirmed; STALE means not recently confirmed
• FAILED entries indicate the host did not respond to ARP requests
• INCOMPLETE means an ARP request was sent but no reply received yet
• Duplicate MAC addresses for different IPs may indicate ARP spoofing or misconfiguration

Common Mistakes

• Using the deprecated arp command instead of ip neigh
• Flushing the ARP table during production without understanding the brief connectivity impact
• Not checking for duplicate MACs when troubleshooting IP conflicts
• Forgetting that static entries added with ip neigh do not persist across reboots

Cleanup

ip neigh del 10.0.0.99 dev eth0 2>/dev/null