1. Introduction
The Address Resolution Protocol (ARP) is a way for systems to map an Internet Protocol (IP) address to a Media Access Control (MAC) address. When it comes to Linux, the final map is a cache, also called an ARP table. Notably, for performance or other reasons, we may sometimes need to drop all entries in this table in favor of rebuilding it.
In this tutorial, we discuss ways to flush ARP information. First, we briefly refresh our knowledge about the ARP table cache. After that, we talk about deleting entries from the table via a standard ARP command. Next, we create a one-line shell script to clear the whole ARP table. Finally, we turn to the de facto standard utility for network control and configuration to also control the ARP cache.
We tested the code in this tutorial on Debian 12 (Bookworm) with GNU Bash 5.2.15. It should work in most POSIX-compliant environments unless otherwise specified.
2. ARP Table Cache
Before going through some ways to delete it, let’s first see and understand the information that ARP generates and stores:
+--------------+-------------------+
| IP Address | MAC Address |
+--------------+-------------------+
| 192.168.1.1 | 01-00-01-BE-E1-01 |
| 192.168.2.10 | FE-ED-1D-EA-F2-10 |
| 192.168.6.66 | DE-AD-BE-EF-06-66 |
+--------------+-------------------+In this case, we have a general overview of the map between both address types. If we’ve had any form of communication with a network host, we’d see a mapping like this.
However, the actual information the kernel keeps in the ARP cache is a bit more comprehensive:
$ cat /proc/net/arp
IP address HW type Flags HW address Mask Device
192.168.1.1 0x1 0x2 01:00:01:be:e1:01 * eth1
192.168.2.10 0x1 0x2 fe:ed:1d:ea:f2:10 * eth0
192.168.6.66 0x1 0x6 de:ad:be:ef:06:66 * tun0In this case, we see the contents of the /proc/net/arp file in the /proc pseudo-filesystem. This file exposes the ARP table as the system sees it.
In particular, we can see a network interface associated with each entry. This is important, as it means the ARP protocol data can be separated by each physical and virtual device.
3. Using arp
Of course, we can delete specific ARP table entries with the classic arp command from the net-tools.
3.1. Remove Single Entry
Notably, the arp command enables us to remove one entry at a time:
$ arp --delete <ADDRESS>To do so, we use the –delete (-d) flag with one of the [ADDRESS]es for a given entry. However, this solution isn’t optimal since it doesn’t flush all entries simultaneously.
3.2. Remove All Entries
Still, we can work on all entries with a one-liner.
First, let’s get the output of arp with the -a flag:
$ arp -a
? (192.168.1.1) at 01:00:01:be:e1:01 [ether] on eth1
? (192.168.2.10) at fe:ed:1d:ea:f2:10 [ether] on eth0
? (192.168.6.66) at de:ad:be:ef:06:66 [ether] on tun0Notably, in this BSD-style format without fixed columns, the IP address appears in parentheses, so we can use them to extract it via sed:
$ arp -a | sed -n 's/.*(\([^()]*\)).*/\1/p'
192.168.1.1
192.168.2.10
192.168.6.66To clarify, we can break down the sed command and regular expression:
- -n suppresses the output of all lines by default
- s/ performs a substitution on each line
- .*(\([^()]*\)).* ignores all (.*) except the \(\) capture group surrounded by literal () parentheses
- /\1/ substitutes everything with the contents of the first capture group
- p prints only lines that underwent the substitution
Finally, we use the output of this command via command substitution:
$ for e in $(arp -a | sed -n 's/.*(\([^()]*\)).*/\1/p'); do arp -d $e; doneIn particular, we use a for loop to iterate the results and run arp -d for each IP address. As a result, all entries should be gone from the ARP table.
4. Using ip
The standard ip command doesn’t only work with IP settings, as it can also go lower and even higher in the OSI model.
Since ARP exists between the Data Link layer two (2) and the Network layer three (3) of the OSI, we can control aspects of the protocol through ip commands that work with either.
4.1. Remove Specific Interface Entries With ip [l]ink
The link scope exposes subcommands for the Data Link layer. Further, we can set settings like with other ip scopes:
$ ip link set [...]In particular, let’s see the options we have for ARP:
$ ip link set help
[...]
[ arp { on | off } ]
[...]While we don’t have direct access to the ARP table, the ip link set arp option provides a way for us to disable and enable ARP on a given interface.
Critically, disabling ARP interrupts all network connectivity on the interface that relies on the protocol, including but not limited to ongoing SSH sessions.
Because of this, we usually disable and reenable arp automatically as a one-liner:
$ ip link set arp off dev eth1; ip link set arp on dev eth1At this point, we can verify that the entries associated with the eth1 interface are gone from the ARP cache:
$ cat /proc/net/arp
IP address HW type Flags HW address Mask Device
192.168.2.10 0x1 0x2 fe:ed:1d:ea:f2:10 * eth0
192.168.6.66 0x1 0x6 de:ad:be:ef:06:66 * tun0However, depending on any ongoing communication, the entry might get restored as soon as ARP is back up. For example, running these commands through and for the network interface of an active local network SSH session, we would probably immediately see at least our own IP address in a table row.
Notably, since the dev option is mandatory for the commands above, using this approach to entirely clear the whole ARP table isn’t optimal.
4.2. Remove All Entries With ip [n]eighbour
In addition to the general Data Link layer commands, we have an ARP-specific ip scope called neighbour:
$ ip neighbour [...]With it, we can control ARP table entries:
- show all entries
- flush all entries
- get specific entries
- add entry
- delete entry
- change entry
- replace entries
When it comes to the flush command, we can remove all entries without risking connectivity interruptions:
$ ip neighbour flush allAlthough we can specify a network interface via the dev option to limit the scope of flush, omitting that achieves our goal of dropping all rows. This is usually the safest approach.
5. Summary
Although vital for most network communication, certain situations, such as when testing and debugging, can cause unnecessary build-up of ARP table entries, requiring a quick way to clean up.
In this article, we talked about the ARP cache and ways to drop entries from it.
In conclusion, there are many ways to manipulate and delete entries from the ARP table, including arp and variations of the standard ip command.