TCP/IP Troubleshooting

Previous Topic Next Topic

Test IP-to-MAC Address Resolution with ARP

Windows 2000 TCP/IP allows an application to communicate over a network with another computer by using either an IP address, a host name, or a NetBIOS name. However, regardless of which naming convention is used, the destination must ultimately be resolved to a hardware address (media access control (MAC) address) for shared access media such as Ethernet and Token Ring.

The Address Resolution Protocol (ARP) allows a host to find the MAC address of a node with an IP address on the same physical network, when given the node's IP address. To make ARP efficient, each computer caches IP-to-MAC address mappings to eliminate repetitive ARP broadcast requests.

The Arp tool allows a user to view and modify ARP table entries on the local computer. The arp command is useful for viewing the ARP cache and resolving address resolution problems.

A static entry can be added to an ARP file by issuing the arp -s <IP address> <MAC address> command. However, adding such static ARP cache entries must be used with caution as it is easy to enter the wrong MAC address for an IP address.

Detecting Duplicate IP Addresses Using ARP

When starting up, Windows performs a gratuitous ARP to detect any duplication with its own IP address. While this detects most cases of duplicate IP addresses, in a few situations two TCP/IP hosts (either Microsoft or non-Microsoft) on the same network can be configured for the same IP address.

The MAC and IP address mapping is done by the ARP module, which uses the first ARP response it receives. Therefore, the impostor computer's reply sometimes comes back before the intended computer's reply.

These problems are difficult to isolate and track down. Use the arp -a command to display the mappings in the ARP cache. If you know the Ethernet address for the remote computer you wish to use, you can easily determine whether the two match. If not, use the arp -d command to delete the entry, then use Ping with the same address (forcing an ARP), and check the Ethernet address in the cache again by using arp -a.

If both computers are on the same network, you will eventually get a response from the imposter computer. If not, you might have to capture the traffic from the impostor host with Network Monitor to determine the owner or location of the system. For more information about Network Monitor, see "Monitoring Network Performance" in the Server Operations Guide.

Detecting Invalid Entries in the ARP Cache

Troubleshooting the ARP cache can be one of the more difficult tasks in network administration because the problems associated with it are so often intermittent.

The exception to this rule is when you find that the wrong host responds to a command, perhaps a Netuse or Telnet command. The symptoms of invalid entries in the ARP cache are harder to reproduce and involve intermittent problems that only affect a few hosts. The underlying problem is that two computers are using the same IP address on the network. You only see the problems intermittently because the most recent ARP table entry is always the one from the host that responded more quickly to any particular ARP request.

To address the problem, display the ARP table using the arp -a command. Following is an example output of the arp -a command.

C:\>arp -a 172.16.0.142


Interface: 172.16.0.142

   Internet address     Physical Address     Type

   172.16.0.1           00-e0-34-c0-a1-40    dynamic

   172.16.1.231         00-00-f8-03-6d-65    dynamic

   172.16.3.34          08-00-09-dc-82-4a    dynamic

   172.16.4.53          00-c0-4f-79-49-2b    dynamic

   157.59.5.102         00-00-f8-03-6c-30    dynamic


Since addresses assigned by DHCP do not cause address conflicts like those described here, the main source of these conflicts is likely to be static IP addresses. Maintaining a list of static addresses (and corresponding MAC addresses) as they are assigned can help you track down any address conflict just by examining the IP and MAC address pairs from the ARP table and comparing them to the recorded values.

If you do not have a record of all IP and MAC address pairs on your network, you might want to examine the manufacturer bytes of the MAC addresses for inconsistencies. These three-byte numbers are called Organizationally Unique Identifiers (OUIs) and are assigned by the Institute of Electrical and Electronics Engineers (IEEE); the first three bytes of each MAC address identify the card's manufacturer. Knowing what equipment you installed and comparing that with the values returned by arp -a might allow you to determine which static address was entered in error.

Finally, if neither an address pair record nor the manufacturer prefixes reveals the source of the problem, check the Event Viewer for additional clues to the problem. For instance, DHCP might have detected a duplicate card already on the network, and thus denied a computer's request to join. Other DHCP and related messages here can often quickly isolate and solve a problem.

© 1985-2000 Microsoft Corporation. All rights reserved.