6

How can I query the local ARP-cache on my Linux-machine to see when a specific ARP-entry was learned and/or updated the last time?

nitram
  • 63
  • 1
  • 7
  • 4
    I don't have a reference on hand but IIRC that isn't recorded by default and you'd need to install something like arpwatch – HBruijn Nov 20 '16 at 12:49
  • Thanks for this idea @HBruijn . Then I would have to parse the syslog to keep track of the arp neighbors. I thought there was an arp cache timeout anyway which I could use – nitram Nov 21 '16 at 07:37

2 Answers2

2

ip -statistics neighbour gives some interesting information. When called with watch one number seems to increment once per second, and resets to zero when a new arp exchange takes place.

Every 2.0s: ip -statistics neighbour                              Sat Oct 14 02:09:42 2017

fe80::XXXX:XXXX:XXXX:XX25 dev enp2s1 lladdr dc:XX:XX:XX:XX:25 router used >35</39/21 probes 0 STALE
10.0.0.1 dev enp2s1 lladdr dc:XX:XX:XX:XX:25 ref 1 used >5586</0/434 probes 1 REACHABLE

Marked with >< are the numbers that increment with time.

Robbie Mckennie
  • 1,083
  • 1
  • 8
  • 21
0

(can not comment ... searched a longer time for following information and would like to share it here, as it may help)

As Robbie showed:

ip -statistics neighbour

has output triplet

5586/0/434

which means "last used"/"last confirmed"/"last updated", so here the output means: entry was last used 5586 seconds ago, confirmed 0 seconds ago, updated 434 seconds ago (source: e.g. http://www.policyrouting.com/iproute2.doc.html); so i think the second number gives the seconds back to the last confirmed contact ... if the status is REACHABLE (?). Maybe When do STALE arp entries become FAILED when never used? will be helpful here too for more details.

Schusch
  • 1