24

Both:

sudo ip -s -s neigh flush all

And:

sudo arp -d 192.168.0.102

Instead of clearing the arp cache they seem to just invalidate entries (they will appear as incomplete). Even after some minutes, the ARP cache looks like:

$ arp -n
Address                  HWtype  HWaddress           Flags Mask            Iface
192.168.0.103                    (incomplete)                              eth0
192.168.0.1              ether   DE:AD:BE:EF:DE:AD   C                     eth0

(The MAC of the gateway has been refreshed - that is ok)

How can I really clear the ARP cache, like in "delete all entries from the table"? I do not want to keep incomplete entries, I want them removed. Is this possible?

EDIT

This is my system:

» arp --version
net-tools 1.60
arp 1.88 (2001-04-04)
+I18N
AF: (inet) +UNIX +INET +INET6 +IPX +AX25 +NETROM +X25 +ATALK +ECONET +ROSE 
HW: (ether) +ETHER +ARC +SLIP +PPP +TUNNEL -TR +AX25 +NETROM +X25 +FR +ROSE +ASH +SIT +FDDI +HIPPI +HDLC/LAPB +EUI64 

» lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 14.04.2 LTS
Release:        14.04
Codename:       trusty

» uname -a
Linux polyphemus.xxx-net 3.13.0-46-generic #77-Ubuntu SMP Mon Mar 2 18:23:39 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
Matt
  • 103
  • 4
blueFast
  • 1,168
  • 2
  • 11
  • 15
  • 3
    What are you trying to accomplish here? Or more clearly, what problem are you trying to solve? – EEAA Mar 18 '15 at 21:48
  • Are you short of arp table entries? Maybe there's a program asking for that IP, thus renewing that entry. Check with `wireshark` or `tcpdump`. – ott-- Mar 18 '15 at 21:56
  • 5
    @MichaelMartinez because [xy problem](http://meta.stackexchange.com/questions/66377/what-is-the-xy-problem). It seems likely that question isn't the root problem and there might be some underlying problem that the OP should be working on instead. – Zoredache Mar 18 '15 at 22:17
  • @EEAA: It is a bit long to explain. I am having troubles with my sip client in one of my routers, so I need to restore factory settings and reconfigure. For this I need to reconfigure my network topology, because restoring factory settings stops this router from playing nicely in my LAN. This happens often, and every time I have trouble locating the IP of the device. Since I am unable of tricking my DHCP server on giving fixed IPs, I have decided to create a personal mapping of MAC addresses to hostnames, so that I can automatically identify hosts by MAC, processing NMAP output. – blueFast Mar 19 '15 at 06:38
  • For this I need first to manualy identify some important hosts by MAC address, but I am seeing too much rubbish in the ARP cache, which annoys me. So I want to clean it, but the clear operation does not do what it is supposed to do, which annoys me **way more** – blueFast Mar 19 '15 at 06:40
  • @jeckyll2hide Please edit that information into your original answer, so more people can see it without digging into the comments. – EEAA Mar 19 '15 at 06:41
  • 2
    The reason why this information is not in the question is because it is not relevant. I want a clean ARP cache. Full stop. You do not trust me that I want that, but that is your problem, not mine. I assure you: I want a clean ARP cache. – blueFast Mar 19 '15 at 06:44
  • In case ARP (or the kernel?) does not support this (!), a simple "not possible" would suffice. Some rationale on "why" would be welcome. – blueFast Mar 19 '15 at 06:53
  • 2
    There is an in-deep explanation of the ARP cache mechanism here: http://stackoverflow.com/a/15511117/647991 – blueFast Mar 19 '15 at 09:59
  • I have the same problem (and the same reason: I want a clear ARP table, for OCD reasons if no other) and neither solution works. – WoJ Mar 18 '16 at 07:39

4 Answers4

15

Original oneliner

ip link set arp off dev eth0 ; ip link set arp on dev eth0

Be sure to do it all at once, so you don't break network connectivity before you're able to turn ARP back on.

Interface discovering copy-paste command

interfaces=$(
  arp -n | awk '
    NR == 1 {next}
    {interfaces[$5]+=1}
    END {for (interface in interfaces){print(interface)}}
  '
);
for interface in $interfaces; do
  echo "Clearing ARP cache for $interface";
  sudo ip link set arp off dev $interface;
  sudo ip link set arp on  dev $interface;
done

Note: The semicolons allow you to condense this command into a oneliner, but it looks terrible in a code block on SO.

Example output on Raspbian

pi@raspberrypi:~ $ arp -n
Address                  HWtype  HWaddress           Flags Mask            Iface
10.0.0.1                 ether   58:19:f8:0d:57:aa   C                     wlan0
10.0.0.159               ether   88:e9:fe:84:82:c8   C                     wlan0

pi@raspberrypi:~ $ interfaces=$( arp -n | awk ' NR == 1 {next} {interfaces[$5]+=1} END {for (interface in interfaces){print(interface)}} '); for interface in $interfaces; do echo "Clearing ARP cache for $interface"; sudo ip link set arp off dev $interface; sudo ip link set arp on  dev $interface; done
Clearing ARP cache for wlan0

pi@raspberrypi:~ $ arp -n
Address                  HWtype  HWaddress           Flags Mask            Iface
10.0.0.159               ether   88:e9:fe:84:82:c8   C                     wlan0
nyet
  • 257
  • 2
  • 4
  • 2
    One must either do in a shell script or at the machine, as it seems to break the connectivity after the first command. – Louis Oct 19 '16 at 19:33
  • I did it on one line, and it worked: `dev=eth2; ip link set arp off dev $dev; sleep 1; ip link set arp on dev $dev`. The `sleep` may not be necessary. – mivk Jun 27 '17 at 16:31
5

Your first solution works, it just takes a little time (5-10 seconds in my test on Kali) to go from "(incomplete)" to no entries.

Presumably it is in some sort of transitional state on its way to being deleted.

armani
  • 171
  • 4
  • For me (Ubuntu 14.04) this was not the case: the entries are kept for a long time (forever?) in the incomplete state. I will re-check this again today. – blueFast Mar 19 '15 at 06:57
  • Verified: even after some minutes, the entries are still there, in the incomplete state (arp 1.88, net-tools 1.60) – blueFast Mar 19 '15 at 07:28
  • Well then your issue is certainly non-standard behavior, maybe particular to Ubuntu 14.04. The correct way for doing it in Linux is just not working for you. Hope you find your answer soon. Can delete this one if you'd like. – armani Mar 19 '15 at 15:06
  • 1
    No, leave it, it gives info for others. But I guess that the more "standard" behavior is to be found in Ubuntu, not in Kali, which is a distro for penetration testing and has default values specifically tweaked for that use case. – blueFast Mar 19 '15 at 15:15
5

Your mentioned solution is the correct and safe approach to flush the ARP table:

ip neigh flush all [dev <device>]

If certain entries are changed into invalid, that's temporary and part of the ARP protocol. The important aspect is that the mapping is gone, an ARP entry flagged as incomplete is not an IP-MAC entry on the table.

I've just tried this and in my case it immediately cleared the table and left no incomplete entries.

Pedro
  • 1,821
  • 12
  • 23
  • 1
    In some (unclear) cases, ip neigh flush all is not sufficient. In my case it did not clear entries added with arp -s. – MappaM Feb 13 '19 at 16:13
  • I much prefer this to my own answer above, with the added caveat regarding static ARP entries, depending on the desired behavior. – nyet Jul 08 '20 at 19:13
1

In certain system, ip command is not available. 

user@linux:~$ ip
-bash: ip: command not found
user@linux:~$

So this the alternative of the ip link set arp off dev eth0; ip link set arp on dev eth0 command.

If you want to delete all entries from the table in a single command, use for loop like the following example.

BEFORE

user@linux:~$ arp
? (10.0.0.1) at 00:00:00:aa:aa:12 [ether]  on eth1
? (172.168.0.3) at 00:00:00:aa:aa:11 [ether]  on eth2
user@linux:~$

REMOVING ARP WITH ARP -D COMMAND

user@linux:~$ for i in 10.0.0.1 172.168.0.3; do sudo arp -d $i; done
user@linux:~$

AFTER: MAC ADDRESS REMOVED FROM THE ENTRIES WITH INCOMPLETE MESSAGE

user@linux:~$ arp
? (10.0.0.1) at <incomplete>  on eth1
? (172.168.0.3) at <incomplete>  on eth2
user@linux:~$

That's true, by deleting arp with arp -d command, the arp entries are still there with incomplete message.

To solve this problem, use ifconfig ethx up/down like this

BEFORE

user@linux:~$ arp
? (10.0.0.1) at <incomplete>  on eth1
? (172.168.0.3) at <incomplete>  on eth2
user@linux:~$

DISABLE & ENABLE THE INTERFACES ETH1 & ETH2 IN A SINGLE COMMAND

user@linux:~$ for i in 1 2; do sudo ifconfig eth$i down; sudo ifconfig eth$i up; done
user@linux:~$

TADAAA ... PROBLEM SOLVED :)

user@linux:~$ arp
user@linux:~$
Charlotte Russell
  • 353
  • 1
  • 7
  • 13