- How to clear the ARP cache on Linux?
- results matching » «
- No results matching » «
- How to Check and Clear the ARP Cache in Windows, Linux and Mac?
- What is ARP cache?
- When to clear the ARP cache ?
- How to clear the ARP cache?
- Windows
- Linux
- Mac
- Conclusion
- How to clear the ARP cache on Linux?
- Clearing cache with ip
- Clearing cache with arp command
- Conclusion
- Continue reading
- The purpose of the /etc/networks file
- Linux Security Guide for Hardening IPv6
- List network interfaces on Linux
- Which Linux process is using a particular network port?
- 7 comments
How to clear the ARP cache on Linux?
In some cases you might need to clear your ARP cache. There are two common ways on Linux, using the arp or ip utility.
Clearing cache with arp The arp utility does not accept an option to clear the full cache. Instead, it allows to flush out entries found with the -d option.
After deleting, have a look with the arp utility again to see the new list:
[email protected]:~# arp -n Address HWtype HWaddress Flags Mask Iface 192.168.1.1 (incomplete) eth0 192.168.1.2 ether 00:02:9b:a2:d3:f3 C eth0 192.168.1.3 ether 00:02:9b:d9:d1:a2 C eth0
Clearing cache with ip Newer Linux distributions have the ip utility, which has a more advanced way to clear out the full ARP cache
[email protected]:~# ip -s -s neigh flush all 192.168.1.1 dev eth0 lladdr 00:a1:04:c6:10:14 used 757/757/28 probes 6 STALE 192.168.1.2 dev eth0 lladdr 00:02:9b:a2:d3:f3 used 2555/719/659 probes 6 STALE 192.168.1.3 dev eth0 lladdr 00:02:9b:d9:d1:a2 ref 1 used 0/0/0 probes 6 DELAY
Round 1, deleting 3 entries Flush is complete after 1 round The first -s will provide a more verbose output. The second one defines the neighbor table, which equals the ARP and NDISC cache.
Conclusion Depending on your distribution, the ip utility is quicker if you want to flush out the full ARP cache. For individual entries the arp tool will do the job as quickly.
results matching » «
No results matching » «
How to Check and Clear the ARP Cache in Windows, Linux and Mac?
Invicti Web Application Security Scanner – the only solution that delivers automatic verification of vulnerabilities with Proof-Based Scanning™.
Misconfigured or expired ARP cache entries in the system might be one of the reasons for network connectivity problems.
Are you aware that clearing the ARP cache in your system may fix loading problems and connectivity errors?
This article will look at how to check and clear the ARP cache in the different operating systems.
What is ARP cache?
ARP stands for Address Resolution Protocol, which is responsible for discovering MAC addresses and mapping them to IP addresses in order to communicate successfully with other systems on the local network. This protocol works between the data link layer and network layer.
Instead of asking the router every time where the particular device is located and what its mac address is, our system would just connect using the previously resolved IP address.
When our systems find the MAC addresses for the particular IP address using ARP protocol, they will be stored in a table for future use. This table is called ARP cache. It contains a list of known IP addresses and their MAC addresses.
ARP request is a broadcast, and ARP reply is unicast.
When to clear the ARP cache ?
If the IP addresses of the network-linked devices change, ARP entries can get corrupted or expired, and new entries may not always overrule the database’s expired entries.
As a result, it may impact network performance and may cause loading or connectivity problems. In this case, you can simply clear the ARP cache to resolve the issue because clearing the ARP cache will cause all of your requests to go through the entire ARP process again. During this process, the new entries will be saved in the ARP table.
Some errors may occur during the rebuilding of the ARP cache table, so deleting the ARP cache all the time is not recommended. Instead, you can also reboot your router or system to resolve the connectivity problems.
How to clear the ARP cache?
We can easily clear the ARP cache in any operating system by using the command line. Let’s get started.
Windows
Step 1: Open a command prompt and run it as an administrator.
Step 2: To view the ARP cache table, just type the following command.
This command displays the IP addresses, and it’s associated mac addresses.
Step 3: Next, to delete the cache table, you can use netsh utility.
netsh interface IP delete arpcache
Step 4: If you want to delete any specific entry in the cache, not the whole table.
C:\WINDOWS\system32>arp -a Interface: 192.168.29.64 --- 0xd Internet Address Physical Address Type 192.168.29.1 a8-da-0c-e8-0e-e6 dynamic 224.0.0.22 01-00-5e-00-00-16 static 224.0.0.251 01-00-5e-00-00-fb static 224.0.0.252 01-00-5e-00-00-fc static Interface: 192.168.56.1 --- 0x14 Internet Address Physical Address Type 224.0.0.22 01-00-5e-00-00-16 static 224.0.0.251 01-00-5e-00-00-fb static 239.255.255.250 01-00-5e-7f-ff-fa static C:\WINDOWS\system32>netsh interface IP delete arpcache Ok.
You will get ‘OK’ as a response if you use the netsh utility to clear the cache table.
Linux
Step 1: Open a terminal and use the following IP utility command to clear the whole ARP table.
Step 2: If you want to delete the ARP record for a particular address, use arp utility.
Step 3: After deleting the entries, you can simply use the following command to view the ARP table in Linux.
This command displays the whole arp table.
┌──(root💀kali)-[/home/geekflare] └─# arp -d 10.0.2.1 ┌──(root💀kali)-[/home/geekflare] └─# arp -n Address HWtype HWaddress Flags Mask Interface 10.0.2.1 (incomplete) 10.0.2.2 ether 01:00:5e:00:00:fc C eth0 10.0.2.3 ether a8:da:0c:e8:0e:e6 C eth0
Here, you can observe the cache entry for the specific address is cleared.
Mac
Step 2: To view the existing ARP entries.
Step 3: To delete the cache for a particular interface
sudo arp -d 192.168.29.1 ifscope en0
Step 4: To clear the whole cache table
$ sudo arp -a ? (192.168.29.1) at 01:00:5e:00:00:fc on en0 ifscope [ethernet] ? (192.168.2.13) at a8:da:0c:e8:0e:e6 on en0 ifscope [ethernet] ? (192.168.1.21) at 01:00:5e:00:0e:16 on en0 ifscope permanent [ethernet] $ sudo arp -a -d 192.168.29.1 (192.168.29.1) deleted 192.168.2.13 (192.168.2.13) deleted 192.168.1.21 (192.168.1.21) deleted
Conclusion
If you can’t ping a particular IP address in the same network even though they’re working correctly, it’s a sign that something is wrong. Your ARP cache table may need to be reconstructed again.
I hope you found this article helpful in learning how to clear the ARP cache in different operating systems.
How to clear the ARP cache on Linux?
There are several reasons when you might need to clear your ARP cache. There are two common ways on Linux systems, typically using the arp or ip utility. Depending on your Linux distribution and the availability, we suggest using the ip tool.
Clearing cache with ip
Newer Linux distributions have the ip utility. The ip tool has a more advanced way to clear out the full ARP cache.
The first -s will provide a more verbose output. By adding one more, we can select the neighbor table. The neighbor table with the ip command equals both the ARP and NDISC cache. Note that the -s options are not available on all versions of the ip command. If it not supported for your version of ip, then simply remove them from the command.
The output of the flush all command will produce the following output.
The ARP cache is cleared, with verbose output
Clearing cache with arp command
The arp utility does not accept an option to clear the full cache. Instead, it allows to flush out entries found with the -d option.
After deleting, have a look with the arp utility again to see the new list:
The output of this command will typically show the active ARP entries.
Address HWtype HWaddress Flags Mask Iface 192.168.1.1 (incomplete) eth0 192.168.1.2 ether 00:02:9b:a2:d3:f3 C eth0 192.168.1.3 ether 00:02:9b:d9:d1:a2 C eth0
The 192.168.1.1 entry now shows as incomplete, which means the ARP entry will be refreshed when it is needed again.
Conclusion
Depending on your distribution, the ip utility is quicker if you want to flush out the full ARP cache. For individual entries, the arp tool will do the job as quickly. Both tools are available for most distributions, including Arch Linux, CentOS, Debian, Fedora, RHEL, and Ubuntu.
Did this article to clear the ARP cache help you as well? Wonderful! Become part of the community and share this on social media to let others know. Got questions or suggestions? Join us in the comments.
One more thing.
Keep learning
So you are interested in Linux security? Join the Linux Security Expert training program, a practical and lab-based training ground. For those who want to become (or stay) a Linux security expert.
Security scanning with Lynis and Lynis Enterprise
Run automated security scans and increase your defenses. Lynis is an open source security tool to perform in-depth audits. It helps with system hardening, vulnerability discovery, and compliance.
Continue reading
The purpose of the /etc/networks file
Linux Security Guide for Hardening IPv6
List network interfaces on Linux
Which Linux process is using a particular network port?
7 comments
I need to apply flush-clean the arp table, and to have one option as Winsock for the case of win7 and if exist clean the register as Ccleaner, because I have the problem ;
ubuntu@ubuntu:~$ netstat -nat
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
tcp6 0 0 ::1:631 . * LISTEN
tcp6 1 0 ::1:53003 ::1:631 CLOSE_WAIT
How can to resolve this case , in other case appear following: I think that need to clean , by the “listen”
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.1.1:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
tcp 0 0 172.252.37.7:46799 94.31.29.192:80 ESTABLISHED
tcp 0 0 172.252.37.7:51130 91.189.94.232:443 ESTABLISHED
tcp 0 0 172.252.37.7:45273 91.189.95.69:80 ESTABLISHED
tcp 0 0 172.252.37.7:44964 149.210.134.182:443 ESTABLISHED
tcp 0 0 172.252.37.7:45270 91.189.95.69:80 ESTABLISHED
tcp 0 0 172.252.37.7:60107 64.233.176.95:80 TIME_WAIT
tcp 0 0 172.252.37.7:35899 216.58.219.110:80 TIME_WAIT
tcp 0 78 172.252.37.7:40483 216.58.219.72:443 LAST_ACK
tcp 0 0 172.252.37.7:59036 216.58.219.67:80 TIME_WAIT
tcp 0 78 172.252.37.7:38157 64.233.185.94:443 LAST_ACK
tcp 0 0 172.252.37.7:45275 91.189.95.69:80 ESTABLISHED
tcp 0 0 172.252.37.7:51127 91.189.94.232:443 ESTABLISHED
tcp 0 0 172.252.37.7:45271 91.189.95.69:80 ESTABLISHED
tcp 0 0 172.252.37.7:41876 216.58.219.68:80 ESTABLISHED
tcp 0 0 172.252.37.7:43539 64.233.185.154:80 ESTABLISHED
tcp 0 0 172.252.37.7:45272 91.189.95.69:80 ESTABLISHED
tcp 0 0 172.252.37.7:39388 24.139.135.147:80 ESTABLISHED
tcp 0 0 172.252.37.7:60106 64.233.176.95:80 TIME_WAIT
tcp 0 0 172.252.37.7:51131 91.189.94.232:443 ESTABLISHED
tcp 0 0 172.252.37.7:37724 216.58.219.78:80 TIME_WAIT
tcp 0 0 172.252.37.7:59708 216.58.219.66:80 ESTABLISHED
tcp 0 0 172.252.37.7:51586 173.194.219.95:80 TIME_WAIT
tcp 0 0 172.252.37.7:51128 91.189.94.232:443 ESTABLISHED
tcp 0 0 172.252.37.7:37227 216.58.219.98:80 TIME_WAIT
tcp 0 0 172.252.37.7:45274 91.189.95.69:80 ESTABLISHED
tcp 0 0 172.252.37.7:51587 173.194.219.95:80 TIME_WAIT
tcp 0 0 172.252.37.7:35809 64.233.176.94:80 ESTABLISHED
tcp 0 0 172.252.37.7:59035 216.58.219.67:80 TIME_WAIT
tcp 0 0 172.252.37.7:51132 91.189.94.232:443 ESTABLISHED
tcp 0 0 172.252.37.7:51129 91.189.94.232:443 ESTABLISHED
tcp 0 0 172.252.37.7:35666 216.58.219.110:80 TIME_WAIT
tcp 0 0 172.252.37.7:34426 173.194.219.94:80 ESTABLISHED
tcp6 0 0 ::1:631 . * LISTEN
tcp6 1 0 ::1:53003 ::1:631 CLOSE_WAIT Thanks for your attention , Reply
These are your active connections (to your web server software). ARP is a protocol one level below these network connections. For details for flushing the ARP table, see the article on how to do that. For easily resetting the active connections, reload your web server daemon (Apache, nginx etc). The ports which state “LISTEN”, have a daemon running (53 = DNS, 631 = SAMBA or CUPS). Reply
The statement “The second one defines the neighbor table” is not accurate. Both -s are for verbosity (providing 2 increases it). The basic command is simply “ip neigh flush all” Reply
Depending on your version of the ip utility, you may not have the -s option available. The text have been extended to reflect that. Thanks for the feedback! Reply
ip neigh flush all does not flush the cache completely, i.e. it does not delete the entries from the neighbor table. Instead it only clears the cached MAC addresses in the neighbor table, i.e. it sets all entries to state FAILED. But the entries with IP and IPv6 address are still kept in the cache. In former times the kernel expired entries after some time without usage, but unfortunately, this is not done anymore and there seems to be no way to remove entries manually. Even a normal user could fill the neighbor cache with lots of entries which will stay until the next reboot. E.g. with “for n in <1..255>; do ping -c1 10.0.0.$n; done” Reply1..255>
I expected arp entries of things in use to be more or less immediately re-populated, as the next packet to them would initiate an arp query and response in a few milliseconds. This was not the case. It took about 2 minutes for everything to return to normal. So be advised. Reply