I ran arp -a on a Linux server, and this is the output:
[root@trnsrv1 ~]# arp -a
? (10.223.8.82) at 00:50:56:B5:75:08 [ether] on bond0
? (10.223.11.254) at E0:5F:B9:66:A6:00 [ether] on bond0
10.223.11.254 - this is the gateway
10.223.8.82 - this is another server, and it is not the only one on the LAN.
Why did it appear and others did not?
Why did it appear and others did not?
Because those were the only two machines which had exchanged network traffic with your server within the last 60 seconds, or whatever arp cache value is specified on your system in /proc/sys/net/ipv4/neigh/default/gc_stale_time, if different from the default of 60.
arp -a reports what is in the arp cache; it does not make any attempt to populate the cache with as many entries as possible.
You need to know a little about arp caches before you can effectively interpret the output of an arp cache
The arp cache contains IP:MAC Address mappings for:
Hosts your server exchanged traffic WITHIN IT'S OWN SUBNET
Router interfaces used to route traffic between your host and others in DIFFERENT subnets
The arp cache of these IP:MAC Address mappings do NOT survive:
Networking restart.
Server reboot.
Although Garbage Collection ("gc") should purge these mappings in your arp cache that exceed the specified GC threshold, the reality is they persist, albeit recorded as "stale"
So you won't see an IP:MAC mapping of a host your server exchanged traffic with that's addressed on a DIFFERENT subnet, or even one within your host's own subnet if the networking or server itself was restarted.
BTW, if you want to test the persistence of mappings beyond the GC interval, ping another host within the same subnet and after stopping the ping periodically execute:
ip -statistics neighbour
You'll see the IP:MAC Address for the host you ping'ed remains past the GC interval.
