Arp Tip

I finally used Windows’ arp command for something useful.

Last week I was configuring numerous brand new LinkSys routers for various branch offices. After successfully configuring the first one, I plugged in the second and tried to connect to it’s web admin page. Unfortunately, my connection attempt kept on timing out. After a couple of minutes of pulling my hair out, I remembered something I had learned about in school a few years ago — Address Resolution Protocol or ARP for short.

ARP is a protocol for determining a host’s hardware address given its network address. In the common case of TCP/IP-over-ethernet networks, the hardware address is known as the MAC address and the network address is known as the IP address. This protocol is important because a host’s hardware address must be known before you can communicate with it over a network.

If you’re familiar with LinkSys routers, you’ll know that they all have the default IP address of 192.168.1.1. On the other hand, every networked device (including LinkSys routers) has (or should have) a unique MAC address. For example, I had two routers with MAC addresses of 00-00-24-c5-94-f4 and 00-00-24-c6-66-84 respectively.

When I plugged the first one in and tried to connect to http://192.168.1.1, Windows silently used ARP to translate the IP address 192.168.1.1 into the MAC address 00-00-24-c5-94-f4. This worked without a hitch and I was able to configure the router.

The problem arose when I plugged in the second router. Apparently, Windows (and perhaps other operating systems) caches the IP-address-to-MAC-address for a period of time. When I tried to connect to http://192.168.1.1, Windows looked that IP address in its arp cache and found the MAC address of 00-00-24-c5-94-f4. However, the MAC address it really needed to use was 00-00-24-c6-66-84.

How long does Windows cache these arp mappings and how do you delete the cache? The answers can be found on Microsoft’s TechNet. According to TechNet:

Dynamic ARP cache entries – These entries are added and deleted automatically during normal use of TCP/IP sessions with remote computers. Dynamic entries age and expire from the cache if not reused within 2 minutes. If a dynamic entry is reused within 2 minutes, it may remain in the cache and age up to a maximum cache life of 10 minutes before being removed or requiring cache renewal by using the ARP broadcast process.

To view the current contents of the ARP cache, go to a command prompt and run arp -a. To delete the entire cache, run arp -d. To delete only a particular mapping, run arp -d (for example, arp -d 192.168.1.1).

Here is an example session to show you what I’m talking about. Note that ping fails (i.e. times out) if you have an incorrect IP-address-to-MAC-address mapping:

C:\> arp -a

Interface: 192.168.1.25 on Interface 0x9000006
Internet Address      Physical Address      Type
192.168.1.1            00-00-24-c5-94-f4     dynamic

C:\> ping 192.168.1.1

Pinging 192.168.1.1 with 32 bytes of data:

Reply from 192.168.1.1: bytes=32 time< 10ms TTL=64
Reply from 192.168.1.1: bytes=32 time< 10ms TTL=64
Reply from 192.168.1.1: bytes=32 time< 10ms TTL=64
Reply from 192.168.1.1: bytes=32 time< 10ms TTL=64

Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum =  0ms, Average =  0ms

(AT THIS POINT, I PLUGGED IN THE OTHER ROUTER)

C:\> ping 192.168.1.1

Pinging 192.168.1.1 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum =  0ms, Average =  0ms

C:\> arp -a

Interface: 192.168.1.25 on Interface 0x9000006
Internet Address      Physical Address      Type
192.168.1.1            00-00-24-c5-94-f4     dynamic

C:\> arp -d 192.168.1.1

C:\> ping 192.168.1.1

Pinging 192.168.1.1 with 32 bytes of data:

Reply from 192.168.1.1: bytes=32 time=1ms TTL=64
Reply from 192.168.1.1: bytes=32 time< 10ms TTL=64
Reply from 192.168.1.1: bytes=32 time< 10ms TTL=64
Reply from 192.168.1.1: bytes=32 time< 10ms TTL=64

Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum =  1ms, Average =  0ms

C:\> arp -a

Interface: 192.168.1.25 on Interface 0x9000006
Internet Address      Physical Address      Type
192.168.1.1            00-00-24-c6-66-84     dynamic

C:\>