Awareness

10 Commands to Monitor ARP Activity on Your System

Published  ·  21 min read

You come to work one morning, and the internet is slow. Websites take forever to load. Some pages show strange certificate warnings. Your colleague says the same thing is happening to them.

Your network is not congested, and your firewall is not blocking anything. Something else is wrong.

Someone on your network might be performing an ARP spoofing attack. They are intercepting traffic between your computer and the router, and you cannot see it happening.

The Address Resolution Protocol (ARP) is how devices on a local network find each other. When ARP is attacked, your traffic goes to the wrong place. Monitoring ARP activity is the only way to spot these attacks before they cause real damage.

Here are ten practical commands to monitor ARP activity on Windows, Linux, and macOS systems, with real examples you can run right now.

What Is ARP and Why Monitor It

ARP (Address Resolution Protocol) is a method for converting between Internet Protocol (IP) and Media Access Control (MAC) addresses. For example, an IP address might be "192.168.1.1" and a MAC address might be "00:1A:2B:3C:4D:5E."

Before a computer can communicate with another computer on the same network, it will send out a request asking, "who is associated with this IP address?" Upon receiving the request, the device that has assumed the IP address will respond with its MAC address. The mapping between the IP and MAC addresses is stored in the ARP cache or ARP table.

Monitoring ARP is important because an attacker can send fake ARP responses (presenting themselves as the router or some other device) and your computer will accept the reply as legitimate. Therefore, rather than sending your traffic to the correct target, your computer sends your packets to the attacker.

This is commonly referred to as ARP spoofing, ARP poisoning and a man-in-the-middle attack.

If you monitor ARP all the time, you can see if there might be ARP spoofing attacks, by looking at:
1. Many devices that are using the same IP address
2. An abrupt change in your MAC Address on your Default Gateway
3. Adding ARP entries to your ARP cache that you did not create.

Next, we will look at the commands needed to monitor ARP.

Command 1: arp -a (Available for Windows, Linux, macOS)

The command arp -a will display the ARP Cache (ARP Table) that your computer has created. The ARP Cache provides the IP addresses that your computer has learned and the associated MAC addresses.

How to run it:
For Windows, open either Command Prompt or Windows PowerShell then enter:
arp -a

For Linux or macOS, open Terminal and enter:
arp -a

You will receive output showing an ambiguous IP address interface, its associated MAC address, and if its an ARP entry or separate attachment.

Interface: 192.168.1.100 --- 0x3

Internet Address Physical Address Type
192.168.1.1 00-14-22-33-44-55 Dynamic
192.168.1.25 AA-BB-CC-DD-EE-FF Dynamic
192.168.1.30 11-22-33-44-55-66 Dynamic

Column definitions:
1. Internet Address: This is an IP address of another DHCP assigned device on your local area network (LAN).
2. Physical Address: This is the MAC Address assigned by the device to connect to the LVN.
3. Type: This field identifies the type of entry by defining whether it is constructed dynamically (learned) or statically (manually assigned).

Using this for monitoring:
Run arp -a on a regular basis, save both copies of output. If you see an unexpected MAC Address for your gateway IP (which is normally 192.168.1.1 or 192.168.0.1 ) then you may have been subject to ARP Spoofing.

A practical example:
arp -a | findstr "192.168.1.1"
If the MAC Address for the gateway has changed from one run to another, you must investigate immediately.

Command 2: arp -d (Windows, Linux, macOS)

The arp -d command is used to delete entries from your ARP cache. It will come in handy if you suspect that an entry has been spoofed and want your computer to get the correct mapping again.

How to carry out this process:
On Windows if you want to delete a specific entry is as follows:
arp -d 192.168.1.1

To clear all entries from the ARP cache on Windows, use:
arp -d *

On Linux if you want to delete a specific entry is the same syntax as for Windows except that you need to add the "sudo" command in front:
sudo arp -d 192.168.1.1

To clear the entire ARP cache on Linux you have to use either restarting the networking service or using the command "ip neigh flush".

How to use this to monitor:
If you suspect an ARP spoofing attack, delete the suspicious entry then generate some network traffic. After creating traffic run the command arp -a again. See if your computer has now learned a different MAC address.

Example scenario:
# Delete the suspect gateway entry
arp -d 192.168.1.1

# Ping the Gateway to trigger a new ARP Request
ping 192.168.1.1 -n 1

# View the new ARP entry
arp -a | findstr "192.168.1.1"

If your computer has now learned the same MAC address as the suspect, then the attacker continues to respond to find your computer. If your computer has learned the correct MAC address, you have proved that the attacker was successful in your ARP cache.

Command 3: arp -s (Windows, Linux, macOS)

The ARP command arp -s creates a static entry in your ARP table. This static entry means that it will remain unchanged. It will also ignore any invalid ARP replies.

To enter a static entry: On Windows use the Command Prompt and enter this command.
arp -s 192.168.1.1 00-14-22-33-44-55

On Linux use the Terminal and enter the command:
sudo arp -s 192.168.1.1 00:14:22:33:44:55

To monitor your network to prevent ARP spoofing: If you know your router’s MAC address you can use the arp command to create a static entry for your router’s MAC address so that your computer will not accept an ARP reply from any other MAC address as coming from your router.

Example:
# Find your router’s MAC Address
arp -a | findstr "192.168.1.1"

# Then you will be able to add the MAC address you have discovered to the ARP table as a static entry
arp -s 192.168.1.1 00-14-22-33-44-55

# Verify static entry in ARP table by checking that the static entry shows up in the ARP table
arp -a | findstr "192.168.1.1"

The MAC address of the router should now show as "static" rather than "dynamic" in the ARP table.

Caution: You should use static entries only on a network where devices will not change often and for critical systems, such as documenting your gateway or DNS.

Command 4: ip neigh (Only for Linux)

The 'ip neigh' command is the modernized Linux alternative to 'arp -a.' It displays the Linux neighbor table instead of the ARP cache (Linux's ARP cache is referred to as the neighbor table) with additional detail.

How to Run the Command:
ip neigh show

What you Will See:
192.168.1.1 dev eth0 lladdr 00:14:22:33:44:55 REACHABLE
192.168.1.25 dev eth0 lladdr aa:bb:cc:dd:ee:ff STALE
192.168.1.30 dev eth0 lladdr 11:22:33:44:55:66 DELAY

Understanding the Various States:
1. REACHABLE - The device was checked to be reachable within the past 30 seconds.
2. STALE - It has not been accessed recently and needs verification for continuity.
3. DELAY - response from device (to a check) was not received within the expected timeframe to verify that the packet sent to the device was received.
4. FAILED - no response received from device
5. INCOMPLETE - A resolution to the problem has not yet been confirmed.

How to use this for monitoring:
The ip neigh command shows you not just the mappings but also the state of each connection. If you see FAILED entries for your gateway, something is wrong.

Practical example:
# Watch the neighbor table for changes every 2 seconds
watch -n 2 ip neigh show
This refreshes the display every two seconds and highlights any changes in red. It is excellent for real-time monitoring.

Command 5: arping (Linux/macOS/Windows from the command-line toolbox) 

The command-line utility arping can be used to send ARP requests to a particular IP address (specified) and to show any responses from that IP address. Unlike ping, which sends ICMP echo requests across networks and across layers of the OSI model, arping is a utility that uses Layer 2 (Ethernet).

To install: 
On linux, arping is often pre-installed. If it is not, you can easily install it by running the following: 
sudo apt install arping

On macOS, you can install via homebrew: 
brew install arping 

On Windows, you can use arping as part of the windows sysinternals toolkit.

To run: 
arping 192.168.1.1

What you will see: 
ARPING 192.168.1.1 
42 bytes from 00:14:22:33:44:55 (192.168.1.1): index=0 time=2.345 ms 
42 bytes from 00:14:22:33:44:55 (192.168.1.1): index=1 time=1.987 ms 

How to use for monitoring: 
Arping is perfect for identifying ARP spoofing. If an attacker is impersonating your gateway, you would receive ARP replies from both the real gateway and the attacker.

Example use to find ARP spoofing is: 
# Send five ARP requests to the gateway 
arping -c 5 192.168.1.1 

If you see two different MAC addresses responding for the exact same IP address (in this case, 192.168.1.1) then an ARP spoofing attack is in progress. 

To detect duplicate IPs: 
# See if there are any other devices claiming your IP 
arping -D -I eth0 192.168.1.100 


This will check if another device is already using your IP address (in this case, 192.168.1.100). If it is being used by another device, then you are either involved in an IP duplication conflict or the IP address is being targeted by an attack.

Command 6: tcpdump -i (Linux, macOS)

tcpdump is a packet analyzer that allows you to view, in real-time the ARP packet flow across your network. How to install:

Linux: 
sudo apt install tcpdump

macOS:
tcpdump

Note: tcpdump is usually pre-installed on macOS. What command to run:
sudo tcpdump -i (use the name of your actual NIC instead of eth0) arp

What you will see:
12:34:56.789012 ARP, Request who-has (IP address) 192.168.1.1 tell (IP address) 192.168.1.100, length 42 
12:34:56.789456 ARP, Reply 192.168.1.1 is-at (MAC address) 00:14:22:33:44:55, length 42

How to use tcpdump for monitoring  ARP traffic:
By using tcpdump you can observe the live ARP requests/responses on your network for unusual patterns in ARP traffic.

Checking for ARP flooding can be done by capturing ARP traffic with tcpdump and timestamps. You can do so with: 

# Capturing ARP Traffic with Timestamp Information 
sudo tcpdump -i (i.e. your Network Interface Card i.e. eth0) -n arp 

You may be seeing an ARP flood or ARP scanning activity if there are a large number of ARP requests coming from one source address (ex. 192.168.1.xxx) for ARP at a rate of hundreds of requests per minute.

One way to capture ARP traffic for analysis is: 
sudo tcpdump -i (your network interface card – such as eth0) arp -w arp_traffic.pcap 

Once the ARP traffic has been captured, you may use WireShark to help in analyzing the captured file.

Command 7: TShark (available for Linux, MacOS and Windows)

TShark is the command-line interface for accessing Wireshark. It also provides a better display and filtering of ARP packets versus TCPDump. 

To install: 
Download Wireshark from www.wireshark.org; TShark will be installed with the default installation of Wireshark.

How to run it:
tshark -i eth0 -Y "arp"

What you will see:
1 0.000000 00:1a:2b:3c:4d:5e -> Broadcast    ARP 42 Who has 192.168.1.1? Tell 192.168.1.100
2 0.000234 00:14:22:33:44:55 -> 00:1a:2b:3c:4d:5e ARP 60 192.168.1.1 is at 00:14:22:33:44:55

How to use this for monitoring:
tshark can do statistical analysis of ARP traffic.

Practical example for finding the most active ARP speaker:
# Count ARP requests by source MAC
tshark -r arp_traffic.pcap -Y "arp.opcode == 1" -T fields -e eth.src | sort | uniq -c | sort -nr
This tells you which device on your network is sending the most ARP requests, which is useful for finding a scanning or attacking machine.

Detect ARP spoofing with tshark:
# Look for different MAC addresses claiming the same IP
tshark -r arp_traffic.pcap -Y "arp.duplicate-address-detected"

Command 8: ip -s neigh (Linux)

The ip command can show statistics about your neighbor table, including how many entries have failed or are stale.

How to run it:
ip -s neigh show

What you will see:
192.168.1.1 dev eth0 lladdr 00:14:22:33:44:55 REACHABLE used 23/23/21 probes 1
192.168.1.25 dev eth0 lladdr aa:bb:cc:dd:ee:ff STALE used 12/12/10 probes 0
192.168.1.30 dev eth0 lladdr 11:22:33:44:55:66 DELAY used 5/5/3 probes 2

Explanation of Additional Information:
1. The entry # next to ‘Used’ indicates how long ago it was accessed. 
2. The column titled “probes” show how many packets have been sent but have not yet received an answer back. 

Using this to Monitor:
If you see many probes being sent to your gateway entry, that shows that your computer is having trouble communicating with it. This may be due to either an apparent failure of some component on your network, or could be the result of an ARP spoofing attack blocking any communication from being established.

Example:
Clear out the ARP table and observe it building back up again.
sudo ip neigh flush all
watch -n 1 ip -s neigh show
This will show you your computer's real-time monitoring of other devices on the network.

Command 9: nmap -sn (Linux, macOS, Windows)

By using Nmap to send ARP requests, you can discover all devices connected to your local network with Nmap (a network scanning program). Compared to IP scanning, ARP scanning can be much faster, and as such, is typically more accurate as well.

How do I install it:
On Linux:
sudo apt install nmap

On macOS:
brew install nmap

How do I run it:
sudo nmap -sn 192.168.1.0/24
This command will scan the 192.168.1.x network using ARP request (to discover all devices in that range).

What you will see:
Starting Nmap 7.80 ( https://nmap.org ) at 2026-01-15 10:00
Nmap scan report for 192.168.1.1
Host is up (0.0023s latency).
MAC Address: 00:14:22:33:44:55 (Router Manufacturer)
Nmap scan report for 192.168.1.100
Host is up (0.0012s latency).
MAC Address: 00:1A:2B:3C:4D:5E (Dell Inc.)

How can I use this for monitoring:
Regularly perform this type of scan and compare it with scans you previously performed. If a device joins your network that you did not detect in previous scans, investigate it further.

Example of detecting ARP spoofing:
# Scan the network and write to a file
sudo nmap -sn 192.168.1.0/24 > arp_scan_$(date +%Y%m%d).txt

# Compare with yesterdays scan
diff arp_scan_<date > arp_scan_<date >
Any differences will show new devices found or changes in MAC Address.

Detect duplicate IP Addresses:
sudo nmap -sn 192.168.1.0/24 --script=ipidseq
This script can detect if two devices are using the same IP address and if there are any unknown devices on the network.  It will also list these devices and their MAC address.

Command 10: arpwatch (Linux)

An ARP Watch is an application that monitors ARP traffic and keeps track of changes relative to the ARP table. It also has the ability to notify users by email of any suspicious activity detected.

How to install:
On Linux:
sudo apt install arpwatch

How to configure:
Edit the configuration file in order to set your own network interface and email address.
sudo nano /etc/default/arpwatch

Set:
INTERFACES="eth0" 
ARGS="-m [email protected]"

How to start it:
sudo systemctl enable arpwatch
sudo systemctl start arpwatch

What this program does:
ARP Watch runs in the background and logs each ARP request and ARP response. If an ARP request contains a new MAC address for a prior existing IP address, then ARP Watch records a “flip” and can also send the user an email notification. 

Where to find the logs:
sudo cat /var/log/arpwatch/arpwatch.log

What the log looks like:
Jan 15 10:00:01 arpwatch: flip 192.168.1.1 00:14:22:33:44:55 (00:14:22:33:44:55) (new) (00:aa:bb:cc:dd:ee) (old)

This log line indicates that the MAC address assigned to the IP address of 192.168.1.1 has changed from an old MAC address to a new MAC address. This is a classic indication of ARP spoofing.

Practical example for continuous monitoring

Once arpwatch is running, you do not need to do anything. It monitors continuously and alerts you when something changes. This is the best solution for long-term ARP monitoring.

To check for flips (potential attacks):
sudo grep "flip" /var/log/arpwatch/arpwatch.log
If you see many flip entries for your gateway IP, you are almost certainly under ARP spoofing attack.

Use of Commands: A Quick Reference Guide

This section will assist you in determining which command to run based on your environment setup and what you require to accomplish.
1. To view the ARP cache, run "arp -a" (available on all operating systems), or "ip/neigh/show" (available only in Linux).
2. To delete an ARP entry that appears suspicious, use "arp -d " (works on any OS).
3. When adding static entries to ARP cache to keep from being spoofed by an attacker, use "arp -s  " (works on any OS).
4. For real-time detection of duplicate or spoofed IP addresses, use "arping -D" or "arping -c 5" (works on any OS).
5. To view all ARP network traffic occurring at this moment, you can use "sudo tcpdump -i eth0 arp" (works with Linux only).
6. For analysis of saved ARP traffic, either use "tshark -r file.pcap -Y 'arp'" (works on any OS) or "wireshark" (works on any OS) to view in graphical format.
7. To scan your whole network looking for devices, use "sudo nmap -sn 192.168.1.0/24" (works on any OS).
8. For continuous 24/7 ARP monitoring, install and run "arpwatch" (works on any OS).
9. For real-time interactive display of changes to entries, use "watch -n 2 ip neigh show" (works with Linux only).
10. To review or analyze a possible attack after-the-fact, check out the output of "arpwatch" or capture files you saved with "tcpdump".

Signs You Have an ARP Attack

Use the following list to identify ARP attacks.

The Gateway MAC address is changing unexpectedly
Under most circumstances, your router's MAC address will not change, and if it does change, there is a good chance you have an ARP attack; your gateway device is likely being spoofed.

You have multiple MAC addresses for one IP address
When running the command arping -c 5 192.168.1.1 and you receive responses from more than one MAC address, there is a good chance you are under attack.

You see your IP address listed in the ARP cache
When you run the command arp -a | grep YOUR_IP, if you see your IP address, it has been spoofed.

You are seeing a high number of ARP requests
When running sudo tcpdump -i eth0 arp and you see the count greater than a couple of times per second, it may indicate that your network is being attacked.

You see unknown MAC addresses
If you see any MAC addresses on your network that you do not recognize, you can find out what manufacturer they belong to using macvendors.com and then investigate the unknown MAC addresses further; if they are foreign, it is highly likely that your network is being attacked.

You have NO or INCOMPLETE entries in ip neigh
If your computer has tried to communicate with a device and failed, it will be noted in the ip neigh cache that you have failed or incomplete entries, and repeated failures may indicate that there has been an attack of this device.

Responding to an ARP Spoofing Attack

If you have detected an ARP Spoofing Attack you should take the following actions.

Immediate Actions:

1. Clear the ARP cache with arp -d * (Windows) or sudo ip neigh flush all (Linux) as soon as possible.
2. Create a Static ARP Entry For Your Gateway.
3. Set Static ARP Entry for Your Gateway by using arp -s 192.168.1.1 <Correct-MAC>.
4. Disconnect From the Network.

After clearing your ARP Cache and adding a static ARP entry for your gateway, you should disconnect from your network and either use a Hotspot on your phone or another network while performing sensitive activities.

Investigate the Attack:

1. The evidence of an ARP Spoofing Attack can be captured by using sudo tcpdump -i eth0 arp -w attack.pcap.
2. After gathering evidence of the attack you can identify the MAC Address of the attacker by looking in your tcpdump output at the spoofed responses for the ARP requests.
3. Once you have the attacker’s MAC Address, you can determine which IP Address has that MAC Address assigned by using sudo nmap -sn 192.168.1.0/24.
4. If you have a managed switch, you may be able to check your switch logs to determine which physical port the attacker’s MAC Address is connected to.

Long Term Preventative Measures:

1. Establish Static ARP Entries on Critical Devices.
2. Configure the Switch Ports to have a maximum number of MAC addresses that can connect to the Port using Port Security.
3. Configure the ARPWatch to monitor for ARP activity in real time.
4. Encrypt your data (HTTPS, VPN, etc) so it cannot be intercepted and viewed.

The Bottom Line

ARP monitoring is critical for all network managers and anyone who has an interest in keeping the security of shared networks.

With the Ten Commands in this document, you will be equipped with all you need to know regarding ARP spoofing detection, how to examine suspicious activity, and ways to safeguard your traffic from man in the middle attacks.

Start with arp -a to understand what a normal ARP cache looks like on your network. Then run arpwatch for continuous monitoring. And when something feels wrong, use arping and tcpdump to investigate.

The attackers are counting on you not to look. Look anyway.

FAQ Section

What is the difference between ARP and ARPing?

ARP is the protocol itself. ARPing is a command-line tool that sends ARP requests and displays the responses. You use ARPing to actively query a device, while ARP monitoring tools like arp -a show you what your computer already knows.

How often should I check my ARP cache?

On a home network, checking once a week is usually sufficient. On a business network or shared Wi-Fi, check daily or use an automated tool like arpwatch to monitor continuously.

Is it possible to use an ARP (Address Resolution Protocol) Spoofing Attack on an Encrypted Wi-Fi Network? 

Yes. Spoof technology operates on Layer 2 (Data Link Layer) of the OSI (Open System Interconnection) Model! Thus, regardless of whether you are using a WPA2 or WPA3 encrypted wireless network, devices will still be able to send ARP packets/responses to one another. Wi-Fi encryption ONLY protects the contents of YOUR traffic from outsiders trying to access your data over your network, NOT from other devices connected to the same wireless network as you!

Am I protected from ARP Spoofing Attacks if I am using a VPN (Virtual Private Network)? 

Yes! VPNs encrypt ALL of your traffic prior to being transmitted out your computer; therefore, if an attacker uses an ARP Spoof Attack to intercept YOUR traffic, then all the attacker will see is ENCRYPTED data that is MEANINGLESS to them! A VPN does NOT prevent ARP Spoofing. However, because ALL of the intercepted traffic is ENCRYPTED, your traffic will be rendered USELESS to the attacker!

What tool can be used for continuous ARP monitoring? 

arpwatch (Linux-based) is the best free option for continuous ARP monitoring! arpwatch is set up as a service and will log EVERY ARP change that occurs and alert you via EMAIL whenever there is an ARP change that occurs. If you have a large network, you may want to consider using a specialized network monitoring/tool suite such as Zeek (formerly known as "Bro") or "Security Onion".

Why might my ARP cache contain entries for devices that are not on my network?

This would be unusual. If you see IP addresses in your ARP cache that do not belong to your local subnet (e.g., 8.8.8.8), this would be concerning, because you should only have ARP entries for devices that are also on the same local subnet. Seeing IP addresses like this could indicate a misconfiguration or an attack on your computer.

How do I look up the manufacturer of a MAC address?

You can use an online free tool to look up the mac address of the device. Visit a site such as macvendors.com or wireshark.org/tools/oui-lookup.html and input the first six characters of the MAC address you want to look up. You will then be able to determine the manufacturer of the device associated with that MAC address and if the device is an unknown device, you will be able to identify if it is a cellphone, laptop, router, IoT device, etc.

Professional Services

Explore Our Cybersecurity Services

Our insights are backed by hands-on service delivery. If your business needs professional cybersecurity support, our UK-based specialists are ready to help.

© 2016 – 2026 Red Secure Tech Ltd. Registered in England and Wales — Company No: 15581067