ARP Table Explained: How Address Resolution Works

12 min

Every packet that crosses an Ethernet network has a destination IP address in its header. Switches do not forward traffic by IP address. They forward by MAC address. Something has to bridge the gap between the IP address an application wants to reach and the MAC address the switch needs to deliver the frame. That something is the Address Resolution Protocol, and the data structure it maintains on every host is the ARP table.

An ARP table is a cache of recent IP-to-MAC address mappings maintained by every network-connected device. When a host needs to send traffic to an IP address on the local network, it checks its ARP table first. If the mapping exists, it builds the frame and sends it. If the mapping does not exist, it sends an ARP request to learn the MAC address, then caches the result. Without ARP, IP communication on Ethernet networks would not function.

This guide covers what ARP tables are, how the ARP protocol works, the difference between ARP tables and MAC address tables, the components of an ARP entry, how to view and manage ARP tables across Windows, Linux, and macOS, common troubleshooting scenarios, and the security implications IT professionals need to understand.

Understanding ARP Tables

An ARP table, sometimes called the ARP cache, is a local lookup table maintained by network-connected devices that maps IP addresses to MAC addresses. Every entry represents a recently learned association: this IP address corresponds to this MAC address on the local network. Without this mapping, a host has no way to deliver IP traffic to the correct physical destination on the same Layer 2 segment.

Definition: Mapping IP Addresses to MAC Addresses

ARP, defined in RFC 826, operates between OSI Layer 2 (Data Link, where MAC addresses live) and Layer 3 (Network, where IP addresses live). When an application sends data, it specifies the destination IP. The operating system’s network stack consults the ARP table to find the MAC address corresponding to that IP, builds the Ethernet frame with the correct destination MAC, and hands it to the network interface for transmission.

ARP tables are dynamic by default. Entries are learned from network traffic, refreshed when traffic continues, and aged out when they go unused. Each entry has a timeout, typically a few minutes on most operating systems, after which the entry is removed and re-learned the next time it is needed.

Importance in Network Communication

The ARP table is one of the most consulted data structures on any networked host. Every IP packet destined for a device on the local subnet triggers a lookup. When the lookup succeeds, traffic flows. When it fails, an ARP request goes out and the host waits for a reply before transmitting. A malformed, stale, or poisoned ARP table can break connectivity to specific hosts, redirect traffic to attackers, or trigger intermittent failures that are notoriously hard to diagnose because they look like everything but the real cause.

For IT teams troubleshooting connectivity issues, the ARP table is one of the first places to look. For security teams, ARP behavior is one of the earliest indicators of certain types of network attacks.

How the Address Resolution Protocol (ARP) Works

ARP is a request-reply protocol that operates entirely on the local network segment. It does not cross routers, because every Layer 3 hop has its own ARP scope.

ARP Request and Reply Process

The ARP exchange follows a predictable four-step sequence:

1. Lookup: A host needs to send a packet to an IP address on the local subnet. It checks its ARP table for a matching entry.
2. ARP request: If no entry exists, the host broadcasts an ARP request to the entire local segment, asking “who has this IP address?” The request includes the requester’s IP and MAC.
3. ARP reply: The host that owns the queried IP sends a unicast ARP reply back to the requester, including its MAC address.
4. Cache and transmit: The requester adds the new mapping to its ARP table and transmits the original packet using the learned MAC address.

Other hosts that see the broadcast ARP request also opportunistically learn the requester’s IP-to-MAC mapping, which is why ARP tables on a busy network typically contain entries for hosts the device has never directly communicated with. There is also a special variant called gratuitous ARP, where a host announces its own IP-to-MAC mapping to the network without being asked. Gratuitous ARPs are commonly used during boot, after IP changes, and as part of high-availability failover.

ARP and the OSI Model

ARP straddles Layer 2 and Layer 3 of the OSI model. The protocol itself runs in Ethernet frames at Layer 2 (with EtherType 0x0806), but its purpose is to bridge Layer 3 IP addressing with Layer 2 MAC addressing. Some networking textbooks classify ARP as a Layer 2.5 protocol because of this dual nature.

For IPv6 networks, ARP is replaced by the Neighbor Discovery Protocol (NDP), which serves the same fundamental purpose using ICMPv6 messages and a more secure design. Most modern networks run dual-stack and maintain both ARP tables (for IPv4) and neighbor caches (for IPv6).

Differences Between ARP and MAC Tables

ARP tables and MAC address tables are commonly confused. They are different data structures, located on different devices, serving different functions.

Aspect	ARP Table	MAC Address Table
Located On	End hosts, routers, Layer 3 switches	Layer 2 switches
Maps	IP address → MAC address	MAC address → switch port
OSI Layer	Bridges Layer 3 to Layer 2	Layer 2 only
Purpose	Find which MAC owns a given IP	Forward frames to the correct port within a VLAN
Typical Aging	Minutes (varies by OS)	Around 300 seconds (5 minutes) by default
How Populated	ARP requests and replies; gratuitous ARP	Source MAC learning from incoming frames

Both tables work together to deliver a frame. The ARP table on the sending host determines which MAC to address the frame to. The MAC address table on each switch along the path determines which physical port to forward the frame out of. A misconfiguration in either table breaks delivery in different ways.

Components of an ARP Table

An ARP table entry contains several fields, with slight variations across operating systems. The core components are:

• IP address: The Layer 3 address being mapped.
• MAC address: The Layer 2 address (also called the link-layer or hardware address) corresponding to the IP.
• Interface: The local network interface through which the entry was learned and is reachable.
• Type: Whether the entry is dynamic (learned from network traffic) or static (manually configured and not subject to aging).
• State: The current reachability state. On Linux, common states include REACHABLE (recently confirmed), STALE (not recently confirmed but present), DELAY (about to be probed), PROBE (being verified), FAILED (no response), and INCOMPLETE (resolution in progress).
• Age or timer: Time remaining before the entry is aged out and re-learned.

Static entries are useful for critical infrastructure devices that should never have their ARP mapping changed by a malicious or accidental ARP reply. They come at the cost of manual maintenance: if the device’s MAC changes (NIC replacement, virtual machine migration), the static entry must be updated by hand.

Managing ARP Tables

Every major operating system provides command-line tools to view and manage the ARP table. The exact commands differ between Windows, Linux, and macOS.

Viewing an ARP Table

On Windows:

arp -a

On Linux (modern, using iproute2):

ip neigh show

On Linux (legacy, using net-tools):

arp -a

On macOS:

arp -a

The output lists each known IP-to-MAC mapping along with the interface and entry type. On Linux, ip neigh additionally shows the reachability state, which is more useful than the legacy arp command for diagnosing problems.

Adding an ARP Entry

Static ARP entries can be added manually for hosts whose mapping should never change. On Windows (run as Administrator):

arp -s 192.168.1.10 00-1A-2B-3C-4D-5E

On Linux:

sudo ip neigh add 192.168.1.10 lladdr 00:1a:2b:3c:4d:5e dev eth0 nud permanent

On macOS (run with sudo):

sudo arp -s 192.168.1.10 00:1a:2b:3c:4d:5e

Modifying an ARP Entry

Most operating systems do not have a dedicated modify command. The standard practice is to delete the existing entry and add a new one. On Linux, ip neigh replace performs both operations in a single command:

sudo ip neigh replace 192.168.1.10 lladdr 00:1a:2b:3c:4d:5e dev eth0

Deleting an ARP Entry

On Windows (run as Administrator):

arp -d 192.168.1.10

On Linux:

sudo ip neigh del 192.168.1.10 dev eth0

On macOS:

sudo arp -d 192.168.1.10

Flushing the ARP Table

Clearing the entire ARP table is a common troubleshooting step when stale entries are suspected. On Windows (run as Administrator):

netsh interface ip delete arpcache

On Linux:

sudo ip neigh flush all

On macOS:

sudo arp -a -d

After flushing, the ARP table rebuilds itself organically as the host resumes communication with other devices on the subnet.

Address Resolution Protocol in Action

ARP behavior shows up in real troubleshooting scenarios constantly. Understanding what is happening at the protocol level is the difference between guessing and diagnosing.

Practical Troubleshooting Scenarios

Intermittent connectivity to a specific host: A stale ARP entry pointing to an old MAC address (after a NIC replacement, virtual machine migration, or DHCP reassignment) causes traffic to be sent to a MAC that no longer corresponds to the IP. The fix is to flush the ARP entry for that host or wait for it to time out naturally.

Two devices claiming the same IP (IP conflict): Both devices respond to ARP requests for that IP, leaving the requester with an unstable mapping that may flip between MACs. Connectivity becomes intermittent or fails entirely. The ARP table on the requester typically shows the conflict if observed during the issue.

Cannot reach a device that should be on the same subnet: The ARP table shows the entry as INCOMPLETE or FAILED. The device may be powered off, on a different VLAN, or connected to a switch port that is administratively down. ARP confirms whether the issue is reachability at Layer 2 or something further up the stack.

Unexpected default gateway behavior: An incorrect ARP entry for the default gateway breaks all off-subnet communication for the affected host. Verifying and refreshing the gateway’s ARP entry is a standard troubleshooting step.

Security Applications

ARP behavior is a significant source of security signal. Unexpected ARP changes, devices announcing themselves with multiple MAC addresses, or sudden ARP cache changes for the default gateway are all indicators of potential ARP-based attacks. Network security teams monitor ARP traffic for these patterns alongside other indicators of compromise.

On the defensive side, mechanisms like Dynamic ARP Inspection (DAI) on managed switches validate ARP packets against trusted bindings learned from DHCP snooping, dropping malicious ARP traffic before it reaches its target.

Common ARP Table Issues and Solutions

Several recurring ARP table problems show up across IT environments, with a few being particularly important for security teams to understand.

ARP Cache Poisoning and Mitigation Strategies

ARP cache poisoning, also called ARP spoofing, is one of the oldest network attacks and remains effective on networks that have not specifically defended against it. The attack works by sending unsolicited ARP replies that associate the attacker’s MAC address with a legitimate IP address (often the default gateway). Victim hosts cache the false mapping and send their traffic to the attacker, who can then read, modify, or relay it. This is the foundation of most local-network man-in-the-middle attacks.

Mitigation strategies include:

• Dynamic ARP Inspection (DAI): A managed switch feature that validates ARP packets against a trusted binding table built from DHCP snooping. Drops ARP packets that do not match a known IP-to-MAC binding.
• DHCP snooping: Tracks legitimate IP-to-MAC bindings as they are assigned by trusted DHCP servers. The data feeds DAI for ARP validation.
• Static ARP entries for critical infrastructure: Static entries cannot be overwritten by ARP replies, which protects the most important mappings (default gateway, key servers).
• Network segmentation: Reducing the size of broadcast domains through VLANs limits the scope of any successful ARP poisoning attack to the affected segment.
• Port security: Restricting which MAC addresses can communicate on specific switch ports limits an attacker’s ability to deliver malicious ARP traffic.
• Continuous monitoring: Tools that watch for unusual ARP behavior, new devices joining segments, or unexpected MAC changes provide early warning of ARP-based attacks. The Domotz network diagnostics feature includes IP conflict detection that surfaces the symptoms of certain ARP anomalies. For broader network security coverage, ARP-aware monitoring works alongside other detection capabilities.

Other common ARP issues include stale entries (resolved by flushing or waiting for timeout), entries pointing to the wrong MAC after network changes (resolved by manual deletion and re-learning), and INCOMPLETE entries indicating reachability problems at Layer 2 (resolved by verifying physical connectivity, VLAN assignment, and switch port state).

How Network Monitoring Tools Like Domotz Use ARP

Domotz is a network monitoring and device discovery platform. It is not an ARP table editor. Operators who need to view, add, modify, or flush ARP entries on a specific host should still reach for arp or ip neigh at the device CLI. What Domotz provides is a network-wide visibility layer that uses ARP, alongside other discovery protocols, to maintain an accurate picture of every device on every monitored segment.

Specifically, Domotz uses ARP for:

• Layer 2 device discovery: The Domotz collector continuously sends ARP requests across the local subnet to discover every IP-connected device, including hosts that block ICMP and would not respond to a ping sweep.
• MAC address resolution and OUI lookup: Each discovered MAC is checked against the IEEE OUI database to identify the manufacturer, providing a starting point for device classification.
• Device identification across IP changes: Because MAC addresses are stable while IP addresses can change (DHCP leases, IP renumbering), Domotz tracks devices by MAC, ensuring the device remains identified even if its IP changes.
• New device alerts: When a previously unseen MAC appears in ARP responses, Domotz generates a real-time alert, surfacing the device for the IT team to review.
• IP conflict detection: Domotz SNMP monitoring and active scanning identify IP duplication on the network, the symptom of certain ARP-related problems.
• Multi-VLAN ARP discovery: When the collector is connected to a trunk port, it performs ARP-based discovery across each monitored VLAN, supporting multi-segment environments without separate collectors per VLAN.

For deeper coverage of how Layer 2 and Layer 3 discovery work together in Domotz and similar platforms, see the Domotz guide to agentless network discovery. For more on the relationship between MAC and IP addresses that ARP bridges, the Domotz article on MAC address vs IP address covers the foundational concepts.

Conclusion

The ARP table is one of the most important data structures in any networked operating system. It bridges Layer 3 IP addressing to Layer 2 MAC delivery, and its behavior shapes everything from basic connectivity to security posture. Understanding what an ARP table contains, how the protocol works, and how to view and manage entries across Windows, Linux, and macOS is foundational knowledge for network engineers, IT professionals, and MSPs.

For ongoing visibility into the devices that ARP discovers and the segments they live on, network monitoring tools that use ARP for Layer 2 discovery deliver continuous awareness without manual scans. Start a free 14-day Domotz trial, no credit card required, and see every device on every subnet, identified by IP and MAC, within minutes of deployment.

Frequently Asked Questions

What is an ARP table?

An ARP table is a local cache of IP-to-MAC address mappings maintained by every network-connected device. It records which MAC address corresponds to each IP address the device has recently communicated with on the local network segment. When a host needs to send a packet to an IP, it consults the ARP table to find the destination MAC and build the Ethernet frame. Without the ARP table, IP communication on Ethernet networks would not function. ARP tables are dynamic by default, with entries learned from network traffic and aged out after a few minutes of inactivity.

How does an ARP table work?

When a host needs to send a packet to an IP address on the local network, it first checks its ARP table for a matching entry. If the entry exists, the host uses the cached MAC and sends the packet. If the entry does not exist, the host broadcasts an ARP request to the local segment asking which device owns that IP. The owning device sends a unicast ARP reply containing its MAC address. The requesting host adds the new mapping to its ARP table and sends the packet. The cached entry is then reused for subsequent packets to the same IP until it ages out.

What information is stored in an ARP table?

An ARP table entry typically contains the IP address, the corresponding MAC address, the local network interface used to reach the device, the entry type (dynamic or static), the reachability state, and the age or timer until the entry expires. On Linux systems using ip neigh, common reachability states include REACHABLE, STALE, DELAY, PROBE, FAILED, and INCOMPLETE, each indicating where the entry sits in the verification lifecycle. Static entries do not expire and must be removed manually if the IP-to-MAC mapping changes.

How can I view the ARP table in Linux?

Modern Linux systems use the ip neigh show command from the iproute2 package, which displays IP-to-MAC mappings along with their reachability state. Older systems and those still using the legacy net-tools package use arp -a. Both commands list the same underlying ARP table, but ip neigh provides more detailed state information that is useful for diagnosing reachability problems. Adding -s to ip neigh show displays per-state statistics for the neighbor cache.

What are common ARP table issues?

The most common ARP table issues are stale entries pointing to old MAC addresses after a device change, IP conflicts where two devices claim the same IP and ARP responses become unstable, INCOMPLETE entries indicating Layer 2 reachability failures, ARP cache poisoning where a malicious actor sends false ARP replies to redirect traffic, and incorrect entries for the default gateway breaking all off-subnet communication. Most of these issues can be diagnosed by inspecting the ARP table during the problem and resolved by flushing the affected entries or addressing the underlying cause.

How do I clear an ARP table?

On Windows, run netsh interface ip delete arpcache from an Administrator command prompt. On Linux, run sudo ip neigh flush all to clear all neighbor entries, or sudo ip neigh flush dev eth0 to clear only entries for a specific interface. On macOS, run sudo arp -a -d. After flushing, the ARP table will rebuild itself organically as the host resumes network communication. Flushing is a common troubleshooting step when stale entries are suspected, but it does not fix underlying issues like duplicate IPs or ARP poisoning.

What is the difference between ARP and a MAC address?

A MAC address is the physical hardware address assigned to a network interface, used at Layer 2 to deliver frames within a local network segment. ARP is the Address Resolution Protocol, which discovers the MAC address corresponding to a given IP address. The MAC address is a property of the device. ARP is the protocol that lets other devices learn that mapping. The ARP table is the data structure where the learned mappings are cached. MAC addresses exist independently of ARP and would be used for Layer 2 forwarding even if ARP did not exist, but without ARP, hosts would have no way to know which MAC corresponds to a given IP on the local network.

How does ARP cache poisoning work?

ARP cache poisoning, also called ARP spoofing, exploits the fact that ARP has no built-in authentication for replies. An attacker on the local network sends unsolicited ARP replies that associate the attacker’s MAC address with a legitimate IP address, often the default gateway. Victim hosts cache the false mapping and start sending their traffic to the attacker, who can read, modify, or relay it before forwarding to the real destination. This is the foundation of many local-network man-in-the-middle attacks. Defenses include Dynamic ARP Inspection on managed switches, DHCP snooping, static ARP entries for critical infrastructure, network segmentation through VLANs, and continuous monitoring for unusual ARP behavior.