1. Overview

Address Resolution Protocol (ARP) is a network protocol that maps an Internet Protocol (IP) address to a physical or Media Access Control (MAC ) address. It’s an essential protocol used in all types of networks, from local networks to wide-area networks (WANs). Also, it’s an important component of the Linux networking stack. By default, it’s enabled in most distributions to avoid network connectivity issues.

In this tutorial, we’ll discuss how to check whether ARP is enabled in Linux. So, we’ll work with the arp, sysctl, cat, and ip neigh commands in the command line. Importantly, we’ll be working with the Ubuntu/Debian-based distribution.

2. Using the arp Command

arp is a simple command-line utility that allows us to view and manipulate the ARP cache. To clarify, an ARP cache is a table that contains a mapping of IP addresses to MAC addresses that have recently appeared on the network. Therefore, we can use it to check whether ARP is active.

Before we proceed, we first need to install this command:

$ sudo apt install net-tools
Reading package lists... Done
Building dependency tree... Done
Setting up net-tools (1.60+git20181103.0eebece-1ubuntu5) ...
Processing triggers for man-db (2.10.2-1) ...

The above command successfully installs the arp command from the net-tools package. Here, we use apt, a command line tool used to manage packages in Linux.

Next, let’s check whether ARP is active:

$ arp
Address                  HWtype  HWaddress           Flags Mask            Iface
_gateway                 ether   18:a6:f7:89:7c:bc   C                     wlo1

Here, we can see that there are columns with details about the ARP cache:

  • Address – displays the IP address of the device in the ARP cache
  • HWtype – shows the hardware type of the device in the ARP cache
  • HWaddress – displays the MAC address of the device in the ARP cache
  • Flags – displays a series of flags that indicate the state of the ARP entry. C indicaties the entry is complete and valid.
  • Mask – the subnet mask associated with the device in the ARP cache
  • Iface – shows the network interface associated with the device in the ARP cache

The output above contains an entry indicating that ARP is active on our system. However, if the output returns an error or doesn’t display any entries, it means that ARP is currently not enabled.

3. Using the sysctl Command

sysctl is a command-line utility that helps us view and modify the kernel parameters including those related to networking. Therefore, we can also use it to check the status of ARP:

$ sysctl net.ipv4.conf.all.arp_ignore
net.ipv4.conf.all.arp_ignore = 0

Above we’re able to show the value of the arp_ignore parameter, which controls how the kernel handles ARP requests. This parameter exists in net.ipv4.conf.all, a part of the Linux kernel’s sysctl settings. In particular, the settings contain various network-related parameters applied to all network interfaces on our system. From the visible output, we get the value of 0 indicating ARP is active on our system. On the other hand, if the value is 1, then ARP isn’t active.

Furthermore, we can also check the arp_filter parameter:

$ sysctl net.ipv4.conf.all.arp_filter
net.ipv4.conf.all.arp_filter = 0

The command above displays the value of the arp_filter parameter. It controls whether ARP filtering is active or not. An output of 0 declares that ARP is active.

4. Viewing the arp_ignore Parameter Using cat

cat is a command-line utility useful for displaying the contents of a file, creating a new file, or concatenating the contents of multiple files and displaying the output. Additionally, we can use it to display the contents of system files, such as those related to network configuration:

$ cat /proc/sys/net/ipv4/conf/all/arp_ignore

The above command displays the value of the arp_ignore parameter. It controls how the system responds to ARP requests. In addition, this parameter is located in the /proc/sys/net/ipv4/conf/all/ directory, which contains various network-related configuration files for all network interfaces. The output of 0 indicates that ARP is active in our system.

Alternatively, we can use another approach:

$ cat /proc/sys/net/ipv4/conf/all/arp_filter

The instruction above displays the value of the arp_filter parameter as 0 indicating that ARP is active.

5. Using the ip neigh Command

The ip neigh command is a Linux tool used to display and manipulate the Neighbor Cache (NCache).

The NCache contains information about devices that the Linux system has recently communicated with. Additionally, it’s also known as the ARP table. This is because it contains the mapping between IP addresses and their corresponding physical addresses or MAC addresses.

So, we can use ip neigh to check whether ARP is active:

$ ip neigh dev wlo1 lladdr 18:a6:f7:89:7c:bc REACHABLE

The above command displays a list of current entries in the neighbor cache. Among these entries include the IP and MAC addresses of the devices on the network. In this situation, to check if ARP is active we’ll look at the lladdr field in our output. This field indicates each device’s physical (MAC) address on the local network.

Now, this field has a value of 18:a6:f7:89:7c:bc, the MAC address associated with the corresponding ip address in the ARP cache. This means that ARP is active and working properly. The system has successfully resolved the MAC address for that IP address using the ARP protocol.

However, if the lladdr field is empty, then the system doesn’t have the MAC address for that particular IP address in its ARP cache. This could be because the ARP protocol is inactive. Also, the device associated with that IP address might not be connected to the network.

6. Conclusion

In this article, we’ve discussed how to check whether ARP is active using the arp, sysctl, cat, and ip neigh commands in the command line. Furthermore, we saw each of these commands provides a different way of checking whether ARP is active or not.

By verifying that ARP is active, we can ensure that our network devices can communicate with each other over the network.

Inline Feedbacks
View all comments