Skip to main content

Linux networking: arp versus ip neighbour

Kick it old school with arp or join the cool kids with ip neigh. Same great info with two different tools.
yellow door blue door

Photo by Skitterfolk from Pexels

Address resolution protocol, aka ARP, is a communication protocol used in IPv4 networks. It was developed in 1982 and has been a staple in most networks since that time. The same functionality exists for IPv6 networks in the Neighbor Discovery Protocol (NDP). In short, the protocol translates a machine's IP address into its physical address or Media Access Control (MAC) address. ARP functions with a cache or table that can be manipulated by the user to add or remove addresses. If the destination address is already in this cache, then the protocol is not needed, and the information can be sent to the desired host.

The arp command allows users to manipulate the neighbor cache or ARP table. It is contained in the Net-tools package along with many other notable networking commands (such as ifconfig). The arp command has since been replaced by the ip neighbour command. The ip command suite was introduced in Linux 2.2. It contains many options for accomplishing these same tasks. Let's take a look at the functionality that is offered by each of these programs.

*Note that I am running these examples on a virtual machine so your output may vary in content, but the framework should be the same*

The old

The arp command has as many options as you would expect from a Linux networking tool. I am not going to cover them all. However, we will look at the basics and the information that is provided in each.

Displaying entries

Using the arp command without any additional options lists the current contents of the ARP cache.

[tcarrigan@rhel ~]$ arp
    Address                  HWtype  HWaddress           Flags Mask            Iface
    _gateway                 ether   51:53:00:17:34:09   C                     enp0s3

You should notice the following columns: Address, HWtype, HWaddress, Flags, Mask, and Iface. On my system, the Address is _gateway, however on most systems, you see IPv4 address listed ( or the like). The HWtype is specified as ether (Ethernet), and the HWaddress is the translated MAC address. The Flags field indicates if the address has been learned, manually set by the user, published, or is incomplete. IFace is simply the name of the interface that is listed.

Display entries for a specific interface

To see all arp entries for a particular interface, you would use the following:

[tcarrigan@rhel ~]$ arp -i bondX

Display entries for a specific address

To see all arp entries for a particular address, use the following:

[tcarrigan@rhel ~]$ arp -a

Adding a new entry

To add an entry (permanently) to the cache, use the -s option. You need to specify the IP and MAC addresses, as well as the interface. Seen here:

[tcarrigan@rhel ~]$ arp -s -i ethX 51:53:00:17:34:09

Removing an entry

To remove an entry from the arp cache, simply use the -d flag, followed by the IP address you wish to remove. Seen here:

[tcarrigan@rhel ~]$ arp -d

The new

The ip neigh (you can use neigh, neighbor, or neighbour - they're all equivalent) command allows the user to manipulate the arp cache in the same way as before. However, the method is a little different this time. Let's take a look at some of the functionality with the new ip neigh command suite.

Displaying entries

To display the current entries in the arp table, use the following:

[tcarrigan@rhel ~]$ ip neigh show dev enp0s3 lladdr 51:53:00:17:34:09 REACHABLE

Things to note here are the IP address, interface name, MAC address, and the system state. System state is the big change here, and it can range from reachable, permanent, stale, and delay. Check online for more info on these states.

Adding a new entry

To add a new entry to the table using the ip command, use the following:

[tcarrigan@rhel ~]$ ip neigh add dev ethX

Removing an entry

To delete an existing entry from the table, use the following:

[tcarrigan@rhel ~]$ ip neigh del dev ethX

This is the way?

So, now that you have seen both command suites in action, what is your take on it? Which do you prefer and why? At this point, I still prefer the arp command suite for its robust feature set. I feel as though I can do more with it. However, I do think that the command syntax and structure is easier with the ip command.

If you can't decide between the two, keep in mind that the net-tools package from which the arp command originates is no longer actively developed, and most of those tools have been deprecated in favor of their ip equivalents, so even if you're familiar with the older tool it may be a good idea to learn the new one before your older option disappears.

Feel free to write a response piece to this article and email it to the team! We would love to hear from you.

[ Want more for your network? Download a free ebook on network automation with Ansible. ]

Topics:   Networking  
Author’s photo

Tyler Carrigan

Tyler is a community manager at Enable Sysadmin, a submarine veteran, and an all-round tech enthusiast! He was first introduced to Red Hat in 2012 by way of a Red Hat Enterprise Linux-based combat system inside the USS Georgia Missile Control Center. More about me

On Demand: Red Hat Summit 2021 Virtual Experience

Relive our April event with demos, keynotes, and technical sessions from
experts, and sign up to attend breakout sessions June 15–16.

Related Content

Enumerating a new network with nmap
Here are some basic Nmap flags that you can use to generate a quick and useful network map for effective troubleshooting and managing network traffic.