arp --delete is not deleting an entry; merely marks entry as "incomplete"

Question

$ sudo arp -avn
? (10.10.7.30) at 00:cc:cc:bb:dd:86 [ether] on eth0
...

$ sudo arp --delete 10.10.7.30

$ sudo arp -avn
? (10.10.7.30) at <incomplete> [ether] on eth0

After --delete I expected no entry for 10.10.7.30. Unexpectedly, the entry remains and is marked <incomplete>.

Using Ubuntu 10.04.

Karma Fusebox · Accepted Answer · 2013-02-07T03:15:58.060

10

The entry will be removed, just be patient.

(If you want the shortest possible answer: incomplete == deleted)

Let's say "delete" is the wrong word for the action. What's really happening here is that the entry is manually set to the state "request sent, no answer" (thus "incomplete" ARP process) as if the machine would be really unreachable.

Now, the entry will be completely removed soon unless it gets a new valid ARP response in the meantime. In that case the entry would be re-added anyways even if it was removed instead of being marked as incomplete. So there's no actual pro or con to this behaviour.

But keep in mind that we're talking of a cache. Deleting things from caches is hard and expensive. It's way more efficient to invalidate an entry and wait if it gets replaced before it is finally removed. But for the system it's totally no difference if the entry is gone from the list or just marked incomplete.

edited Feb 07 '13 at 03:15

answered Feb 07 '13 at 01:02

Karma Fusebox

1,064
9
18

And there is no way to really delete it so that a subsequent need to know the destination would trigger a "new" ARP query? – Skaperen Feb 07 '13 at 02:09
1

But exactly that's the case here. If anything looks up an entry that is marked "incomplete" a new ARP request is send. If it is answered, the entry is updated and no longer "incomplete". If no answer returns, the entry is removed from the list after some time. (That's why I think it's pretty useless to "--delete" an entry manually. If the machine lives, the entry will be refreshed. If it is really gone, then why "--delete" the entry manually anyways?) – Karma Fusebox Feb 07 '13 at 02:29
... it comes to my mind that you might want to "change" the ARP address for an IP address. In this special case you can "--delete" manually and have the next ARP request return the new address. But for this scenario, it doesn't matter at all if the entry is visibly removed from the list or marked "incomplete". For the tech involved, it's the same. – Karma Fusebox Feb 07 '13 at 02:45
@KarmaFusebox do you know where this cache exists? Is it in process memory? If so, which process? or is it maintained by the kernel? In a file on-disk? elsewhere? – JamesThomasMoon Jun 06 '15 at 22:19
@KarmaFusebox Deleting an entry makes sense if the entries were also added manually (and therefore have the permanent flag set) – cha5on Jan 26 '17 at 04:15

score 7 · Answer 2 · edited Aug 04 '15 at 04:49

7

Just to complement all other answers, I found this link very useful.

In some cases using ip is more appropriate, like the command:

# ip -s -s neigh flush all

Results may depend on your linux kernel.

edited Aug 04 '15 at 04:49

JamesThomasMoon

633
2
5
23

answered Jul 31 '15 at 12:59

Saulo Gomes

71
1
2

This worked perfectly for me. Anyone who is having trouble with other responses should try it. – Iakovos Gurulian May 03 '17 at 11:33

score 3 · Answer 3 · answered Jan 03 '18 at 15:40

3

Apart from the other fine answers it worths mentioning that it is possible to completely eredicate the arp cache by removing it. One of the less painful ways is:

ip link set arp off dev eth0 ; ip link set arp on dev eth0

This should remove all entries, be they in whatever state.

Alternative methods include downing and upping the interface and similar ways to make the arp cache completely removed and recreated.

answered Jan 03 '18 at 15:40

grin

284
1
7

1

This is the correct answer. I needed exactly this. Not just marking some entry for "incomplete" or "has not been reached for a while". Thank you. – John Hamilton Jan 10 '19 at 08:36

Sopalajo de Arrierez · Answer 4 · 2015-06-05T23:51:03.067

0

I know this could sound obvious, but, for those not used to work with the shell, this is my suggestion:

Starting from the answer of @KarmaFusebox, why not simply grep the results...? :

arp -a | grep "incomplet" -i -v

It will show you only the existing/active cache entries.
I think it keeps being a POSIX compliant command. And it is a scriptable method, if that is what you need.

edited Jun 05 '15 at 23:51

answered Jun 05 '15 at 23:44

Sopalajo de Arrierez

201
2
8

I'm looking for a reasonable explanation of why `arp` behaves this way. It seems peculiar. Tangentially, could `arp` be forced to remove the `` entries? – JamesThomasMoon Jun 07 '15 at 15:53
Well, @JamesThomasMoon1979, I would rather say that, on systems that seem not to behave this way (i.e: Windows console), they really are. The only difference is they don't show `incomplete` entries on the arp cache list command. – Sopalajo de Arrierez Jun 07 '15 at 16:16

arp --delete is not deleting an entry; merely marks entry as "incomplete"

4 Answers4