Skip to content

ARP: Why the Service is not Available?

Some spooky things happened, I was told the service I was in charge of is not working properly and no one can login to that service.

The problem is quickly sorted out:

I checked the ARP Table on all the servers, and interestingly found that they were different. For the same IP, the MAC addresses are different on different servers.

1. How ARP works?

2. How to use ARP command?

2.1 Prepare

Install the dependencies if they are not there:

Install Dependencies

`sudo apt-get install net-tools arping`

2.2 List ARP Table

List ARP Table

sudo arp -n
Address                  HWtype  HWaddress           Flags Mask            Iface               ether   02:42:ac:11:00:02   C                     docker0               ether   02:42:ac:11:00:03   C                     docker0           ether   00:15:5d:94:fc:5b   C                     eth0

2.3 Send an ARP Request

Let's do an ARP ping, which will request the MAC Address of IP:, and let's send two requests.


This will send two arpings.

sudo arping -c 2

42 bytes from 00:15:5d:94:fc:5b ( index=0 time=297.300 usec
42 bytes from 00:15:5d:94:fc:5b ( index=1 time=532.100 usec

--- statistics ---
2 packets transmitted, 2 packets received,   0% unanswered (0 extra)
rtt min/avg/max/std-dev = 0.297/0.415/0.532/0.117 ms

As you can see here, two responses returns with the same MAC Address.

However, in the trouble I discribed at the start of this post, some of my servers received two responses with one request (one of them was incorrect, and was sent by a device should not response), and the later one would overwrite the former one.

2.4 Set the ARP Table Manually

Let's set the MAC Address of the IP( from 00:15:5d:94:fc:5b to 00:15:5d:94:fc:5a. Do you think we can still ping throught that IP any more?

First we test if we can ping the IP normally

Normal Condition

ping -c 2
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=128 time=1.78 ms
64 bytes from icmp_seq=2 ttl=128 time=0.607 ms

--- ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.607/1.192/1.777/0.585 ms

As you can see, it is working perfectly.

Then we manually change the MAC Address of the IP to 00:15:5d:94:fc:5a

Manually Change The Mac Address

arp -s 00:15:5d:94:fc:5a

Abnormal Condition

ping -c 2

Now, the IP is unavailable.

PING ( 56(84) bytes of data.

--- ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1051ms

2.5 ARP Scan

Let's do an ARP scan within a range of IPs:

First install nmap if you haven't.


sudo apt-get install nmap


nmap -sn -PR 172.17.151.*