When troubleshooting networking issues, a wide range of potential problems need to be investigated. One potential issue is that the ARP cache contains incorrect data. This scenario is extremely unlikely and is most often caused by a user editing their own ARP cache for some purpose. But no matter how the issue was caused, it still needs to be fixed. So, what is the ARP cache and how do you clear it?
What is the ARP cache?
ARP stands for Address Resolution Protocol, it resolves IP addresses to MAC addresses and is used exclusively for communications over a local network. The ARP cache stores routing information for local IP addresses, and then contains a default route to the gateway, for external resources.
The ARP cache can only be modified by a device on the local network. ARP messages are broadcast to the entire local network, any device that can see ARP messages will adjust its ARP cache to match the newest information. Therefore, changes to the cache on a device can be made by a user, or potentially a virus on any device on the network. The ARP cache cannot be directly modified by users outside of the local network.
Tip: Modifying the ARP cache manually should not be done lightly, as it can cause networking issues.
The most likely cause for the ARP cache needing to be cleared, is the user of the device trying to modify their own cache by hardcoding a value in an attempt to fix an issue and making it worse by accident.
How to clear the ARP Cache
The first step to clearing the ARP cache is to open an elevated command prompt, doing this gives it administrative rights which are necessary to perform the deletion. Open the windows start bar and type “CMD”, then right-click on command prompt and select “Run as administrator”.
In the elevated command prompt type the command “arp -a” to view the ARP cache, to wipe the ARP cache run the command “arp -d”. The -a flag instructs the program to display the ARP cache, the -d flag instructs it to delete the cache.
-d switch does not delete the cache.
Displays and modifies the IP-to-Physical address translation tables used by
address resolution protocol (ARP).
ARP -s inet_addr eth_addr [if_addr]
ARP -d inet_addr [if_addr]
ARP -a [inet_addr] [-N if_addr] [-v]
-a Displays current ARP entries by interrogating the current
protocol data. If inet_addr is specified, the IP and Physical
addresses for only the specified computer are displayed. If
more than one network interface uses ARP, entries for each ARP
table are displayed.
-g Same as -a.
-v Displays current ARP entries in verbose mode. All invalid
entries and entries on the loop-back interface will be shown.
inet_addr Specifies an internet address.
-N if_addr Displays the ARP entries for the network interface specified
-d Deletes the host specified by inet_addr. inet_addr may be
wildcarded with * to delete all hosts.
I’m hesitant to do a complete purge, because I’m seeing a lot of invalid entries in het ARP table. There might be a problem with the ARP system?
I tried a delete of one of the invalid lines, but that doesn’t seem to make a difference, even when elevated.
I’m doing this on a Windows Server 2012.