The arp (address resolution protocol) is a simple Windows network command-line utility used to view and manage the arp cache. The arp cache is a collection of IP and MAC addresses of devices on your local network that your computer knows about. This tool is typically used in troubleshooting network issues.
The commands shown here are tested on computer with Windows 8 but most will work in other versions of Windows as well.
Arp command (address resolution protocol) is used to view and manage the arp cache. The arp cache contains a dynamic list of IP addresses of the devices (computers, routers) your computer communicated with recently. More importantly, along with the IP address, the MAC address (the 6-byte 'burned-in' physical/hardware address) of the device is also stored in the cache.
The purpose for maintaining an arp cache is to improve network performance. When your computer communicates with a device, regardless of whether it is on your local network (e.g., file server) or is external to it (e.g., website, ftp server), your computer needs to know the MAC address of the device to communicate with it. In the case of external devices, your computer needs to communicate with your network router. Within the same network, all hosts communicate with each other by addressing each other by their MAC address.
By maintaining an arp table that maps an IP address to its associated MAC address of the device, your computer does not need to query the network for the MAC address each time it needs to communicate with it. When your computer needs to communicate with a device that is not in its arp cache, it will perform a network query (using arp) to get the MAC address. In essence, it asks "who has 192.168.128.64". The device that has this IP will reply back with its MAC address. This IP and MAC address mapping is then stored on your computer's arp cache for quick lookup in future communication.
To use this utility, you will need to launch the Command Prompt window. The three common ways to launch the Command Prompt window are:
cmdusing the built-in Windows search tool.
cmdat the Run window that appears.
arp [/a [<Inetaddr>] [/n <ifaceaddr>]] [/g [<Inetaddr>] [-n <ifaceaddr>]] [/d <Inetaddr> [<ifaceaddr>]] [/s <Inetaddr> <Etheraddr> [<ifaceaddr>]]
|/a  [/n ]||Displays current arp cache tables for all interfaces. The /n parameter is case-sensitive.|
|/g  [/n ]||Identical to /a.|
|/d [Inetaddr]||Deletes an entry with a specific IP address, where Inetaddr is the IP address in dotted decimal notation.|
|/s [Inetaddr] [Etheraddr]||Adds a static entry to the arp cache that resolves the IP address Inetaddr to the physical address Etheraddr.|
|/?||Displays help information.|
In an arp cache table, you will typically find two types of entries - dynamic and static. A dynamic entry is an IP to MAC address pair that your computer has learned of itself during recent communication with that device. A static entry on the hand is one that was manually entered (or by the operating system) into the cache. Static entries will remain in the cache indefinitely unless explicitly removed. Dynamic entries will stay in cache unless they have not been used recently and the ARP cache timeout has expired.
There are a variety of switches (sub commands) available with the arp utility that will alter how it will function. At the most basic, the arp is used with teh /a switch to display the arp cache table of a computer.
To view the arp cable table for all the interfaces (network adapters) on your computer, type the following in the command window then press Enter:
The screenshot example below is the arp output of a particular computer. The output of your result will differ. In our screenshot example, it shows 9 entries in the table.
The arp cache results are dynamic and displays the IP and MAC address of devices (computers, routers) your computer network communicated (e.g., ping, internal website) with recently that are on your network. The table does not display the IP address of websites, servers and other devices outside of your network. It will however, show the IP and MAC address of your router as it is the device your computer communicate with on your internal network to get to the external server.
The /d Inetaddr switch is used to delete an entry from the arp cache, where Inetaddr is the IP address.. On newer Windows operating system, this command requires elevated permission. See this article on how to launch command prompt in administrator mode.
Although entries in the arp cache will automatically be removed if your computer has not communicated with it recently, being able to manually delete an entry is helpful particularly when you know an entry is incorrect or when performing network troubleshooting.
For example, to delete the entry with IP address of 192.168.1.100 from our above example screenshot, type the following in the command window then press Enter:
arp /d 192.168.1.100
If you display the cache once the delete command is issued, you will see the entry is no longer listed, as illustrated in the screenshot below.
The /d switch when used without specifying an IP address will delete the entire arp cache. On newer Windows operating system, this command requires elevated permission. See this article on how to launch command prompt in administrator mode. Unless you are troubleshooting a network issue that requires it, deleting the entire arp cache is not typical. For most computers, deleting the entire cache has no adverse effect. Your computer will simply re-perform the arp look-ups find the MAC addresses when the need arises.
To delete the entire arp cache, type the following in the command window then press Enter:
If you display the cache once the delete command is issued, you will see the entire cache is empty (or near empty), as illustrated in the screenshot below. Depending on how soon you are viewing your arp cache after performing the delete command, you may already see your cache being re-populated as your computer continues re-learns them as it communicates with devices on your network.
The /s switch when used to manually add an entry to the arp cache. To add the IP address 192.168.128.100 to the physical address of 00-11-22-AA-BB-CC, type the following in the command window then press Enter:
arp /s 192.168.128.100 00-11-22-AA-BB-CC
On newer Windows operating system, this command requires elevated permission. See this article on how to launch command prompt in administrator mode.
If you display the cache once the add command is issued, you will see the cache now shows the entry you added, as illustrated in the screenshot below. Additionally, because it is manually added, this entry is flagged as a static entry..
The example usage described in the article shows only some of the functions available with arp. To get a list of the available switches, type the following in the command window then press Enter:
This will create a file named arp-results.txt in the folder path c:\temp that will have your result. You can then open this file with any text editor, such as Notepad on a Windows computer, as illustrated below.
arp /a > c:\temp\arp-results.txt
An investment in knowledge always pays the best interest.
You will likely not find a need to examine an ARP cache for most of your troubleshooting work. However, understanding the purpose and the use of ARP is fundamental for any networking professional as it employs basic TCP/IP communication concepts.Back to Top