First page Back Continue Last page Overview Text


An IP address resides at a higher layer in our network model than the MAC (Hardware) address. On a LAN, packets find their way ultimately to their destination by MAC address. IP is needed to allow different LANs to route information to each other. But ultimately, whether it be a router, or even a switch or hub, the target will eventually be a MAC.

The "arp" tool can be used to see the MAC addresses your machine has associated with particular IP addresses. Once an entry is inside the arp cache, it is used to determine how to get to a host rather than querying the network itself. This is important, a confused arp cache can cause a great deal of problems for a host and especially for a router.

# arp -a

Most arp commands will allow you to set (-s) and delete (-d) arp entries from the local host arp cache. The expiration of the arp cache entries varies from platform to platform. For example, the default value in Linux is 1 minute, in Solaris 300 seconds and in most versions of AIX 20 minutes by default. It is also worth noting that getting a machine to set its arp cache entry (apart from forcing it with the arp command) sometimes is not possible unless the entry has expired (as is the case with Solaris). This is good for cases where someone on your network is trying to trick your box into using a false MAC value. The official term for this is called arp spoofing.