Checking network connections with arp and ip neigh

Linux provides two very useful tools for diagnosing network troubles: arp and ip neigh.

The arp command is a tool that allows you to display the IP-address-to-MAC-address mappings that a system has built so that it doesn’t have to fetch the same information repeatedly for systems it communicates with. In doing this, arp allows you to discover and display details about systems on your network.

The other is the arp command’s younger brother, ip neigh, which can also display and manipulate arp tables. In this post, we’ll take a look at how these commands work and what they can tell you.

Using arp

To display the ARP table on a Linux system, just type “arp”. Add -a to condense the output if you don’t want to see the data organized into columns with headings. (An arp-a command also will show the arp table in the command prompt on a Windows box, by the way.)

Here’s an example of the arp command and what it shows you:

$ arp
Address                  HWtype  HWaddress           Flags Mask            Iface
fruitfly                 ether   7c:67:a2:cf:9f:ef   CM                    enp0s25
Comtrend.Home            ether   f8:8e:85:35:7f:b9   C                     enp0s25
dragonfly                ether   20:ea:16:01:55:eb   C                     enp0s25
SAMSUNG-SM-G935A                 (incomplete)                              enp0s25
V40-ThinQ                ether   02:0f:b5:0d:17:27   C                     enp0s25
DESKTOP-UDLCLKR          ether   04:ed:33:7c:44:c6   C                     enp0s25
192.168.0.8                      (incomplete)                              enp0s25
katydid                  ether   00:25:00:4e:9e:35   C                     enp0s25
V40-ThinQ                ether   38:30:f9:29:f8:a4   C                     enp0s25
butterfly                ether   44:65:0d:43:ed:44   C                     enp0s25

The first line contains the column headings. The first column shows IP addresses or host names. The second (HWtype) indicates that the connections are Ethernet connections, and the third (HWaddress) is the MAC address of each device. In this example, all but one connection are marked C, which means “complete” and verifies the connection was successful. One of the two devices that don’t show a C in this example is a cell phone. The other is a system that is offline.

The last column, Iface, means “interface” and represents the port on the system through which all of the connections are being made. Some systems, especially servers, might have multiple network interfaces. In that case, you can select a particular interface by adding a -i and the interface name (e.g., arp -ai eth0).

$ arp -a
Address                  HWtype  HWaddress           Flags Mask            Iface
192.168.0.33             ether   7c:67:a2:cf:9f:ef   CM                    enp0s25
192.168.0.1              ether   f8:8e:85:35:7f:b9   C                     enp0s25
192.168.0.7              ether   20:ea:16:01:55:eb   C                     enp0s25
192.168.0.23                     (incomplete)                              enp0s25
192.168.0.20             ether   02:0f:b5:0d:17:27   C                     enp0s25
192.168.0.14             ether   04:ed:33:7c:44:c6   C                     enp0s25
192.168.0.8                      (incomplete)                              enp0s25
192.168.0.17             ether   00:25:00:4e:9e:35   C                     enp0s25
192.168.0.15             ether   38:30:f9:29:f8:a4   C                     enp0s25
192.168.0.13             ether   44:65:0d:43:ed:44   C                     enp0s25

The Flags column may show:

• C == complete
• M == permanent (static field that was entered manually)
• P == published (proxy arp)

Addresses marked as static (PERM) were likely added to the table through a deliberate arp -s command like this:

$ sudo arp -s 192.168.0.33 7c:67:a2:cf:9f:ef

The mask field will display an optional mask if one is used.

Compare the output above to what you see below. While it may appear less human-friendly, this format might serve better if you plan to process the output with a script since you won’t have to consider how many tabs might be sitting between the various columns or jump past the first line to start with the data on line 2. Note that it doesn’t display the flags field.

$ arp -a
fruitfly (192.168.0.33) at 7c:67:a2:cf:9f:ef [ether] PERM on enp0s25
Comtrend.Home (192.168.0.1) at f8:8e:85:35:7f:b9 [ether] on enp0s25
dragonfly (192.168.0.7) at 20:ea:16:01:55:eb [ether] on enp0s25
SAMSUNG-SM-G935A (192.168.0.23) at  on enp0s25
V40-ThinQ (192.168.0.20) at 02:0f:b5:0d:17:27 [ether] on enp0s25
DESKTOP-UDLCLKR (192.168.0.14) at 04:ed:33:7c:44:c6 [ether] on enp0s25
? (192.168.0.8) at  on enp0s25
katydid (192.168.0.17) at 00:25:00:4e:9e:35 [ether] on enp0s25
V40-ThinQ (192.168.0.15) at 38:30:f9:29:f8:a4 [ether] on enp0s25
butterfly (192.168.0.13) at 44:65:0d:43:ed:44 [ether] on enp0s25

To display only IP addresses (no hostnames), add the n (numeric) option to your arp command:

$ arp -an
? (192.168.0.33) at 7c:67:a2:cf:9f:ef [ether] PERM on enp0s25
? (192.168.0.1) at f8:8e:85:35:7f:b9 [ether] on enp0s25
? (192.168.0.7) at 20:ea:16:01:55:eb [ether] on enp0s25
? (192.168.0.23) at  on enp0s25
? (192.168.0.20) at 02:0f:b5:0d:17:27 [ether] on enp0s25
? (192.168.0.14) at 04:ed:33:7c:44:c6 [ether] on enp0s25
? (192.168.0.8) at  on enp0s25
? (192.168.0.17) at 00:25:00:4e:9e:35 [ether] on enp0s25
? (192.168.0.15) at 38:30:f9:29:f8:a4 [ether] on enp0s25
? (192.168.0.13) at 44:65:0d:43:ed:44 [ether] on enp0s25

Using a tool like the one here, you can look up the origin of the network interfaces listed. This is because the first three bytes of each MAC address represent the manufacturer. The second three bytes are serial numbers. The f8:8e:85:35:7f:b9 address at the top of the list above, for example, indicates that the device with this MAC address is made by Comtrend. 00:06:2a:… would indicate a Cisco device. A complete list of manufacturers and related MAC addresses is available at this GitHub site.

Using ip neigh

The ip neigh command provides information very similar to what you get using arp. (The neigh option to the ip command can be spelled out as “neighbor” or “neighbour” if you don’t mind typing a few more letters.)

One of the reasons for using ip neigh in place of arp is that arp is among a number of Linux commands that are now deprecated (not recommended), and the net-tools package from which it derives is no longer under active development. The newer ip commands should provide the same basic information, but arp is still a popular tool because of its many features.

Here is an example of the ip neigh command:

$ ip neigh
192.168.0.33 dev enp0s25 lladdr 7c:67:a2:cf:9f:ef REACHABLE
192.168.0.1 dev enp0s25 lladdr f8:8e:85:35:7f:b9 STALE
192.168.0.7 dev enp0s25 lladdr 20:ea:16:01:55:eb REACHABLE
192.168.0.23 dev enp0s25  FAILED
192.168.0.20 dev enp0s25  FAILED
192.168.0.14 dev enp0s25 lladdr 04:ed:33:7c:44:c6 STALE
192.168.0.8 dev enp0s25  FAILED
192.168.0.17 dev enp0s25 lladdr 00:25:00:4e:9e:35 STALE
192.168.0.15 dev enp0s25 lladdr 38:30:f9:29:f8:a4 STALE
192.168.0.13 dev enp0s25 lladdr 44:65:0d:43:ed:44 STALE
fe80::fa8e:85ff:fe35:7fb9 dev enp0s25 lladdr f8:8e:85:35:7f:b9 router STALE

FAILED indicates that the system could not be reached. STALE indicates that the connection hasn’t been recently verified.

The ip neigh command offers additional options as well. For example, to add or remove an address from your arp table, you could use commands like these:

$ sudo ip neigh add 192.168.0.21 dev emp0s25		 add an entry
$ sudo ip neigh del 192.168.0.8 dev enp0s25		 delete an entry

Wrap-up

Both arp and ip neigh are great commands for displaying information on local systems. Being able to check connections and verify system types from a terminal window can be very handy.