How do I find my own IP and MAC on a computer?

On Windows run “ipconfig /all” and “arp -a”; on Linux or macOS run “ip addr” and “ip neigh,” and you can double-check your public address with What Is My IP Address.

Does ARP resolve domain names like example.com?

No, ARP maps IPv4 addresses to MACs on the local link; to see which IP a name points to, use a Domain to IP lookup or a standard resolver query.

How can I tell if a failure is ARP or DNS?

If you can ping a same-subnet IP but name lookups fail, it’s likely DNS; verify by running a quick DNS Lookup for the hostname and compare with packet captures filtered for ARP.

How long do ARP cache entries last and can I tune the timer?

Dynamic entries usually live for a minute or a few and refresh with traffic; most OSes expose reachable-time tunables, and you can always flush the table to force re-resolution.

Does ARP exist in IPv6 and how do I test the basics?

IPv6 uses Neighbor Discovery instead of ARP, but you can verify end-to-end IPv6 reachability quickly with an IPv6 Test and by checking your neighbor table for the target address.

How do I check whether two hosts should ARP for each other?

Compute their network and broadcast ranges from IP and mask; if both IPs fall in the same subnet, they’ll ARP directly—use a Subnet Calculator to confirm masks and boundaries.

Can ARP tell me where an IP is located on the Internet?

No, ARP is link-local only; for public addresses you need an IP Address Lookup or similar geolocation data, which is a separate layer from ARP.

What is gratuitous ARP used for and should I disable it?

It refreshes neighbors’ caches after IP move or failover and helps detect conflicts; you rarely disable it, but you should pair it with features like ARP inspection to prevent spoofing.

ARP Explained: Address Resolution Protocol for Beginners

Every device on an Ethernet network uses two addresses at once: a logical IP for routing and a hardware MAC for delivery on the wire. Applications speak IP, but Ethernet frames require a destination MAC, so something must translate between the two.

Address Resolution Protocol, or ARP, does that translation for IPv4 on a local link. It’s tiny and fast, which is why it’s everywhere, but that simplicity can mislead you during outages. Small details—cache timers, unsolicited announcements, or a duplicate IP—often decide whether traffic flows or stalls.

This guide explains how ARP queries and replies actually move, what the cache stores, why gratuitous ARP exists, how proxy ARP changes behavior at a subnet boundary, and the practical checks you can run to isolate stale entries, duplicates, and spoofing without guesswork.

How ARP Works On A Local Network

When a host wants to send an IPv4 packet to a same-subnet peer and lacks the peer’s MAC, it broadcasts an ARP request to ff:ff:ff:ff:ff:ff: “Who has 192.0.2.25? Tell 192.0.2.10.” The owner of 192.0.2.25 replies unicast with its MAC. The sender caches that mapping and uses it to build the Ethernet frame for its IP packet. If the mapping already exists in the local cache and is considered reachable, the host skips the broadcast.

Routing Boundary: Default Gateway

If the destination IP is off-subnet, the sender doesn’t ARP for the far host. It ARPs for its default gateway’s IP, uses the gateway’s MAC as the frame destination, and lets the router forward the IP packet. That’s why a wrong or missing gateway yields “local hosts work, the Internet doesn’t.”

Inside The ARP Packet

Ethernet ARP has a compact header: hardware type 1 (Ethernet), protocol type 0x0800 (IPv4), hardware size 6, protocol size 4. Opcode 1 is request, 2 is reply. Each packet carries sender MAC/IP and target MAC/IP. In a request, the target MAC is zero because it’s unknown. In the reply, all four fields are filled, which lets both endpoints learn or refresh their caches.

Broadcast Versus Unicast

ARP requests are broadcasts, so every host on the VLAN hears them and switches flood them out all ports in that VLAN. Replies are unicast to the original asker. Normal ARP volume is tiny compared to user traffic, but very large L2 domains can see noticeable broadcast load without suppression or caching features.

Why ARP Caches Matter

The ARP cache (neighbor table) stores recent IP-to-MAC bindings plus state and timers to avoid a broadcast for every packet. Dynamic entries live for a short window—commonly on the order of minutes—and refresh as traffic flows. If an entry expires or transitions to a non-reachable state, the next transmission triggers a new request. Static entries never age out; they can stabilize critical paths but create blind spots if the topology changes.

How Entries Become Stale

Mappings go stale when IP-to-MAC relationships change faster than the cache does. Typical causes include NIC swaps, VM migrations, LAG failover, or moving an IP address between clustered nodes. Symptoms are asymmetric or one-directional failures: one host still talks (fresh cache), the other times out (stale cache). Flushing the neighbor table or sending a gratuitous ARP usually resolves it immediately.

Static Versus Dynamic Entries

Static entries pin a specific MAC to an IP and bypass normal aging. They help in very locked-down environments or for point-to-point links, but they are brittle in networks with redundancy or mobility. If you must use them, document thoroughly and revisit them during change windows to avoid silent breakage.

Gratuitous ARP And Why It Exists

A gratuitous ARP is an unsolicited announcement where the sender and target IP are the same. It tells neighbors “IP 192.0.2.25 is now at MAC aa:bb:cc:dd:ee:ff.” Systems emit it at boot, after an IP change, or during failover (for example, when a VIP swings between nodes). Neighbors that accept the update refresh their caches immediately, so traffic pivots to the new MAC without waiting for old entries to expire. The same exchange can reveal conflicts: if another host already uses the IP, you may see an ARP response or local logs complaining about a duplicate.

When Gratuitous ARP Backfires

Because any host can claim any mapping, blind acceptance allows spoofing. Attackers can poison caches and intercept traffic. Enterprises commonly pair DHCP snooping (to build a trusted IP–MAC–port list) with Dynamic ARP Inspection (DAI), which drops ARP messages that don’t match the trusted bindings. On endpoints, security agents can rate-limit or validate ARP to blunt abuse.

Common Pitfalls: Stale Entries And Duplicates

Two of the most frequent ARP-driven outages are stale caches and duplicate IP addresses. Stale caches appear after topology changes and cause timeouts until the affected host relearns the correct MAC. Duplicates are noisier: you may see flapping between two MACs for the same IP, intermittent connectivity, and logs like “duplicate address detected.” Root causes include static misconfiguration, overlapping DHCP scopes, or an accidentally imaged device that retained a hardcoded IP.

How To Spot Them Fast

On Windows, “arp -a” lists the table and “arp -d *” flushes it. On Linux, “ip neigh” shows states such as REACHABLE, STALE, DELAY, and FAILED; “ip neigh flush dev eth0” clears a device’s entries. On macOS, “arp -a” and “arp -d -a” are the equivalents. A packet capture with filter “arp” makes duplicates obvious: two different sender MACs answering for the same target IP are the giveaway.

Understanding Proxy ARP

Proxy ARP lets a router answer ARP requests on behalf of a host that is not on the local subnet, then forward at Layer 3. It makes disjoint subnets appear contiguous to legacy devices that use the wrong masks or can’t be reconfigured. It can be a lifesaver for compatibility, but it hides real boundaries and can create odd asymmetric paths. Prefer correct masks and routing; use proxy ARP only when you can’t change the endpoints and keep the scope tightly controlled.

When Proxy ARP Makes Sense

Typical uses include connecting older embedded devices that assume a /24 to a larger or smaller prefix, or bridging a temporary migration where you can’t renumber yet. In both cases, document the interfaces and consider ACLs to prevent unexpected lateral movement.

Security Considerations And Defenses

ARP’s trust model is optimistic: anyone can send announcements. On managed switches, enable DHCP snooping to track legitimate lease bindings, then enable DAI on user VLANs to validate ARP against those bindings. Combine with port security to pin expected MAC counts per port and storm control to keep broadcast floods in check. For especially sensitive peers (for example, a gateway or VIP), a pinned entry on a small set of servers is reasonable as long as you include it in change control.

Troubleshooting Workflow

Work layer by layer. First, verify local IP, mask, and gateway match the subnet plan. Next, ping a same-subnet neighbor and the default gateway. If the neighbor fails, inspect the ARP table: is there a MAC entry for the neighbor’s IP? If not, either the broadcast isn’t reaching the target or the target is down. If there is an entry but traffic still fails, flush it to force re-resolution and watch for gratuitous ARP storms or spoofing. If the gateway pings but remote hosts don’t, shift focus to routing or name resolution rather than ARP.

Packet Capture Tips

Filter on “arp or icmp” to see both the resolution attempt and the subsequent liveness test. Unanswered ARP requests mean the target didn’t see the broadcast or can’t respond. Multiple replies for the same target IP point to duplicates. A sudden burst of unsolicited ARP replies often indicates either a failover event or spoofing; check switch counters and logs for DAI drops.

Commands Worth Memorizing

Windows: “arp -a”, “arp -d *”, “ipconfig /all”. Linux: “ip addr”, “ip route”, “ip neigh”, “ip neigh flush”, “tcpdump -i eth0 arp”. macOS: “arp -a”, “arp -d -a”, “ifconfig”, “netstat -rn”. Network devices: verify whether ARP inspection, port security, and storm control are active and whether they’re dropping broadcasts or ARP frames.

Real-World Scenarios

VIPs and clustered firewalls rely on gratuitous ARP after failover so neighbors immediately send new flows to the active node. Hypervisors trigger announcements after live migration to move traffic to the VM’s new top-of-rack switch. Modern fabrics (for example, EVPN/VXLAN) reduce broadcast by answering ARP from a control-plane cache near the edge; the idea is the same—keep a fresh mapping where it’s needed. In small offices, duplicates usually trace to static IPs inside a DHCP scope; the durable fix is to reserve static addresses outside the scope and let DHCP manage everything else.

ARP Versus Neighbor Discovery

IPv6 replaces ARP with Neighbor Discovery over ICMPv6. The operational ideas carry over—there’s still a neighbor cache and unsolicited announcements—but message types and security extensions differ. When an issue is IPv6-only, check “ip -6 neigh” on Linux or “ndp -a” on BSD-derived systems and validate router advertisements and prefixes.