How to clear the ARP cache on Linux?

How to clear the ARP cache on Linux?

In some cases, you might need to clear your ARP cache. There are two common ways on Linux, using the arp or ip utility. Depending on your Linux distribution, it might be preferred to use the ip utility.

Clearing cache with arp

The arp utility does not accept an option to clear the full cache. Instead, it allows to flush out entries found with the -d option.

root@ubuntu:~# arp -d 192.168.1.1

After deleting, have a look with the arp utility again to see the new list:

root@ubuntu:~# arp -n
Address                  HWtype  HWaddress           Flags Mask            Iface
192.168.1.1                      (incomplete)                              eth0
192.168.1.2              ether   00:02:9b:a2:d3:f3   C                     eth0
192.168.1.3              ether   00:02:9b:d9:d1:a2   C                     eth0

Clearing cache with ip

Newer Linux distributions have the ip utility, which has a more advanced way to clear out the full ARP cache

root@arch01:~# ip -s -s neigh flush all
Screenshot of clearing an ARP cache with ip neigh flush command

The ARP cache is cleared, with verbose output

The first -s will provide a more verbose output. The second one defines the neighbor table, which equals the ARP and NDISC cache. Note that the -s options are not available on all versions of the ip command. If it not supported for your version of ip, simply remove them from the command.

Conclusion

Depending on your distribution, the ip utility is quicker if you want to flush out the full ARP cache.For individual entries, the arp tool will do the job as quickly. Both tools are available for most distributions, including Arch Linux, CentOS, Debian, Fedora, RHEL, and Ubuntu.

Lynis Enterprise

Lynis Enterprise screenshot to help with system hardening

This blog post is part of our Linux security series and the mission to get Linux and Unix-based systems more secure.

Does system hardening take a lot of time, or do you have any compliance in your company? Have a look at Lynis Enterprise.

Or start today with the open source security scanner Lynis (GitHub)


6 comments

  • German GonzalezGerman Gonzalez

    I need to apply flush-clean the arp table, and to have one option as Winsock for the case of win7 and if exist clean the register as Ccleaner, because I have the problem ;
    ubuntu@ubuntu:~$ netstat -nat
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address Foreign Address State
    tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
    tcp6 0 0 ::1:631 :::* LISTEN
    tcp6 1 0 ::1:53003 ::1:631 CLOSE_WAIT
    How can to resolve this case , in other case appear following: I think that need to clean , by the “listen”
    Proto Recv-Q Send-Q Local Address Foreign Address State
    tcp 0 0 127.0.1.1:53 0.0.0.0:* LISTEN
    tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
    tcp 0 0 172.252.37.7:46799 94.31.29.192:80 ESTABLISHED
    tcp 0 0 172.252.37.7:51130 91.189.94.232:443 ESTABLISHED
    tcp 0 0 172.252.37.7:45273 91.189.95.69:80 ESTABLISHED
    tcp 0 0 172.252.37.7:44964 149.210.134.182:443 ESTABLISHED
    tcp 0 0 172.252.37.7:45270 91.189.95.69:80 ESTABLISHED
    tcp 0 0 172.252.37.7:60107 64.233.176.95:80 TIME_WAIT
    tcp 0 0 172.252.37.7:35899 216.58.219.110:80 TIME_WAIT
    tcp 0 78 172.252.37.7:40483 216.58.219.72:443 LAST_ACK
    tcp 0 0 172.252.37.7:59036 216.58.219.67:80 TIME_WAIT
    tcp 0 78 172.252.37.7:38157 64.233.185.94:443 LAST_ACK
    tcp 0 0 172.252.37.7:45275 91.189.95.69:80 ESTABLISHED
    tcp 0 0 172.252.37.7:51127 91.189.94.232:443 ESTABLISHED
    tcp 0 0 172.252.37.7:45271 91.189.95.69:80 ESTABLISHED
    tcp 0 0 172.252.37.7:41876 216.58.219.68:80 ESTABLISHED
    tcp 0 0 172.252.37.7:43539 64.233.185.154:80 ESTABLISHED
    tcp 0 0 172.252.37.7:45272 91.189.95.69:80 ESTABLISHED
    tcp 0 0 172.252.37.7:39388 24.139.135.147:80 ESTABLISHED
    tcp 0 0 172.252.37.7:60106 64.233.176.95:80 TIME_WAIT
    tcp 0 0 172.252.37.7:51131 91.189.94.232:443 ESTABLISHED
    tcp 0 0 172.252.37.7:37724 216.58.219.78:80 TIME_WAIT
    tcp 0 0 172.252.37.7:59708 216.58.219.66:80 ESTABLISHED
    tcp 0 0 172.252.37.7:51586 173.194.219.95:80 TIME_WAIT
    tcp 0 0 172.252.37.7:51128 91.189.94.232:443 ESTABLISHED
    tcp 0 0 172.252.37.7:37227 216.58.219.98:80 TIME_WAIT
    tcp 0 0 172.252.37.7:45274 91.189.95.69:80 ESTABLISHED
    tcp 0 0 172.252.37.7:51587 173.194.219.95:80 TIME_WAIT
    tcp 0 0 172.252.37.7:35809 64.233.176.94:80 ESTABLISHED
    tcp 0 0 172.252.37.7:59035 216.58.219.67:80 TIME_WAIT
    tcp 0 0 172.252.37.7:51132 91.189.94.232:443 ESTABLISHED
    tcp 0 0 172.252.37.7:51129 91.189.94.232:443 ESTABLISHED
    tcp 0 0 172.252.37.7:35666 216.58.219.110:80 TIME_WAIT
    tcp 0 0 172.252.37.7:34426 173.194.219.94:80 ESTABLISHED
    tcp6 0 0 ::1:631 :::* LISTEN
    tcp6 1 0 ::1:53003 ::1:631 CLOSE_WAIT

    Thanks for your attention ,

    Reply
    • These are your active connections (to your web server software). ARP is a protocol one level below these network connections. For details for flushing the ARP table, see the article on how to do that. For easily resetting the active connections, reload your web server daemon (Apache, nginx etc). The ports which state “LISTEN”, have a daemon running (53 = DNS, 631 = SAMBA or CUPS).

      Reply
  • BarakBarak

    The statement “The second one defines the neighbor table” is not accurate. Both -s are for verbosity (providing 2 increases it). The basic command is simply “ip neigh flush all”

    Reply
    • Depending on your version of the ip utility, you may not have the -s option available. The text have been extended to reflect that. Thanks for the feedback!

      Reply
  • Urs ThuermannUrs Thuermann

    ip neigh flush all does not flush the cache completely, i.e. it does not delete the entries from the neighbor table. Instead it only clears the cached MAC addresses in the neighbor table, i.e. it sets all entries to state FAILED. But the entries with IP and IPv6 address are still kept in the cache. In former times the kernel expired entries after some time without usage, but unfortunately, this is not done anymore and there seems to be no way to remove entries manually.

    Even a normal user could fill the neighbor cache with lots of entries which will stay until the next reboot. E.g. with “for n in {1..255}; do ping -c1 10.0.0.$n; done”

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *