How to Display the ARP Cache in Batch Script

The Address Resolution Protocol (ARP) is a critical part of how local networks function. It maps IP addresses (Layer 3) to MAC addresses (Layer 2). Windows maintains a cache of these mappings so it doesn't have to keep asking the network for the same information. For a network administrator or developer, viewing the ARP cache is a fundamental step in troubleshooting IP conflicts, verifying connectivity, or identifying unknown devices on the local segment.

This guide will explain how to use the arp command in a Batch script to display, filter, and manage these network mappings.

The Tool: ARP -A

The standard way to view the current ARP cache is via the -a switch. This displays the IP address, the Physical (MAC) Address, and whether the entry is static or dynamic. The arp command, its flags (-a, -d, -s), and the output column format are language-independent, they work the same way on every Windows display language.

Basic Implementation

@echo off
setlocal

echo --- LOCAL ARP CACHE ---
echo.

arp -a

endlocal
pause

Understanding the Output

• Internet Address: The IP address of the device.
• Physical Address: The MAC address (hardware identifier), displayed as six hyphen-separated hex pairs (e.g., 00-1a-2b-3c-4d-5e).
• Type:
  • dynamic: Discovered automatically through normal network traffic. These entries expire after a timeout period (typically 15–45 seconds of inactivity) and are deleted if not refreshed.
  • static: Manually added entries or permanent system addresses (like multicast mappings). These survive until manually removed or the system restarts.

Method 1: Searching for a Specific IP Address

On modern computers with multiple adapters (Wi-Fi, Ethernet, VPN), the ARP table can contain many entries across multiple interface sections. You can filter the results using findstr.

@echo off
setlocal

set "Target=192.168.1.1"

echo [ARP] Searching for %Target% in the ARP cache...
echo.

rem --- Add spaces around the target IP to prevent partial matches ---
rem --- This ensures "192.168.1.1" does not match "192.168.1.10"  ---
arp -a | findstr /c:" %Target% "

if %errorlevel% neq 0 (
    echo [INFO] %Target% was not found in the local ARP cache.
    echo [INFO] The device may be offline, on a different subnet,
    echo        or not yet communicated with this machine.
    echo.
    echo [TIP] To populate the cache, ping the target first:
    echo       ping -n 1 %Target%
)

endlocal
pause

tip

Preventing partial matches: By including spaces around the target in findstr /c:" %Target% ", a search for 192.168.1.1 will not accidentally match 192.168.1.10, 192.168.1.100, or 192.168.1.15. The ARP output uses consistent spacing that places spaces around each IP address.

Method 2: Searching for a MAC Address

You can also search the ARP cache by MAC address to find which IP is assigned to a specific device. MAC addresses in the ARP output use hyphens as separators and lowercase hex characters, but since users might enter them in different formats, the script should handle case differences.

@echo off
setlocal

set "TargetMAC=00-1a-2b-3c-4d-5e"

echo [ARP] Searching for MAC address %TargetMAC%...
echo.

rem --- Use /i for case-insensitive matching ---
rem --- ARP output typically uses lowercase, but user input may vary ---
arp -a | findstr /i /c:"%TargetMAC%"

if %errorlevel% neq 0 (
    echo [INFO] MAC address %TargetMAC% was not found in the ARP cache.
    echo [INFO] The device may be offline or on a different subnet.
)

endlocal
pause

Method 3: Populating and Then Viewing the Cache

If you just turned on your computer or cleared the cache, the ARP table might be nearly empty. This script pings the default gateway first to ensure at least the most important entry is present, then displays the cache.

@echo off
setlocal enabledelayedexpansion

echo [ARP] Populating cache by pinging default gateway...

rem --- Extract the default gateway from ipconfig ---
rem --- The gateway value is language-independent (always a dotted IP) ---
set "Gateway="
for /f "tokens=1,* delims=:" %%a in ('ipconfig 2^>nul') do (
    set "Value=%%b"
    if defined Value (
        rem --- Look for a line whose value starts with a valid IP ---
        rem --- Gateway lines typically have values like " 192.168.1.1" ---
        echo %%b | findstr /r /c:"^ *[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\.[0-9]" >nul
        if !errorlevel! equ 0 (
            rem --- This could be IP, mask, or gateway. We want the gateway. ---
            rem --- For simple population, just ping any discovered IP ---
            for /f "tokens=1" %%g in ("%%b") do (
                if not defined Gateway set "Gateway=%%g"
            )
        )
    )
)

if defined Gateway (
    echo [INFO] Gateway detected: !Gateway!
    ping -n 1 -w 1000 !Gateway! >nul 2>&1
) else (
    echo [WARN] Could not detect gateway. Cache may be incomplete.
)

echo.
echo --- ARP CACHE ---
echo.
arp -a

endlocal
pause

Method 4: Administrative ARP Maintenance

Sometimes the ARP cache becomes poisoned (through ARP spoofing attacks) or outdated, leading to connectivity issues. You can clear the cache or manually create static mappings. These operations require Administrator privileges.

@echo off
setlocal

rem --- Admin check: modifying the ARP cache requires elevation ---
net session >nul 2>&1
if %errorlevel% neq 0 (
    echo [ERROR] This script must be run as Administrator.
    echo [INFO] Viewing the ARP cache (arp -a^) works without elevation,
    echo        but clearing or adding entries requires Administrator rights.
    endlocal
    pause
    exit /b 1
)

echo [ARP MAINTENANCE]
echo.

rem --- Step 1: Show current cache before changes ---
echo [STEP 1] Current ARP cache:
arp -a
echo.

rem --- Step 2: Clear the entire ARP cache ---
echo [STEP 2] Clearing ARP cache...
arp -d *

if %errorlevel% equ 0 (
    echo [OK] ARP cache cleared.
) else (
    echo [WARN] Could not clear ARP cache.
    echo [INFO] An alternative command is:
    echo        netsh interface ip delete arpcache
)

echo.

rem --- Step 3: Add a static entry (optional) ---
rem --- Uncomment the lines below if you need a static mapping ---
rem --- Static entries prevent ARP spoofing for critical devices ---
rem echo [STEP 3] Adding static ARP entry...
rem arp -s 192.168.1.100 00-aa-00-62-c6-09
rem if %errorlevel% equ 0 (
rem     echo [OK] Static entry added: 192.168.1.100 = 00-aa-00-62-c6-09
rem ) else (
rem     echo [ERROR] Failed to add static entry.
rem )

rem --- Step 4: Show cache after changes ---
echo [STEP 3] ARP cache after maintenance:
arp -a

endlocal
pause

Notes on clearing the cache:

• arp -d * deletes all dynamic entries from the ARP cache. Static entries may persist depending on the Windows version.
• netsh interface ip delete arpcache is an alternative that clears the cache through the network stack. On some Windows versions, one command works better than the other.
• After clearing, the cache will repopulate automatically as the computer communicates with other devices on the network.

Method 5: Saving an ARP Snapshot for Auditing

For network auditing or comparing the ARP table over time (to detect new or rogue devices), save the output to a timestamped file.

@echo off
setlocal

set "Timestamp=%date:~-4%%date:~-7,2%%date:~-10,2%_%time:~0,2%%time:~3,2%%time:~6,2%"
set "Timestamp=%Timestamp: =0%"
set "OutputFile=%~dp0arp_snapshot_%Timestamp%.txt"

echo [AUDIT] Saving ARP cache snapshot...

(
    echo ============================================
    echo  ARP Cache Snapshot
    echo  Date: %date%  Time: %time%
    echo  Computer: %COMPUTERNAME%
    echo ============================================
    echo.
    arp -a
) > "%OutputFile%"

if exist "%OutputFile%" (
    echo [SUCCESS] Snapshot saved to:
    echo          %OutputFile%
) else (
    echo [ERROR] Failed to save snapshot.
)

endlocal
pause

How to Avoid Common Errors

Wrong Way: Expecting to See Remote Internet Devices

The ARP cache only contains devices on your immediate local network (the same subnet). You will never see the MAC address of google.com or any remote server. You will only see the MAC address of your local router (default gateway), which forwards your traffic to the internet.

rem *** This will never find google.com's MAC address ***
arp -a | findstr "google"

Wrong Way: Searching Without Preventing Partial Matches

Without careful findstr patterns, searching for 192.168.1.1 will also match 192.168.1.10, 192.168.1.100, and any other IP that starts with the same digits.

rem *** BAD: matches 192.168.1.1, 192.168.1.10, 192.168.1.100 ***
arp -a | findstr "192.168.1.1"

Correct Way: Use the /c: flag with spaces around the target to match only the exact IP.

rem *** GOOD: matches only 192.168.1.1 ***
arp -a | findstr /c:" 192.168.1.1 "

Wrong Way: Trying to Clear the Cache Without Admin Rights

rem *** BAD: fails without elevation ***
arp -d *

Correct Way: Always check for Administrator privileges before attempting to modify the ARP cache.

Problem: Empty ARP Cache

If the computer just started or the cache was recently cleared, there may be very few entries.

Solution: Ping the gateway or other known devices first to populate the cache, then view it.

ping -n 1 192.168.1.1 >nul 2>&1
arp -a

Best Practices and Rules

1. The arp Command Is Language-Independent

The arp command, its flags (-a, -d, -s), and the output column structure are identical across all Windows display languages. The column headers ("Internet Address", "Physical Address", "Type") may be translated, but the data format (IP addresses, MAC addresses, "dynamic"/"static" labels) remains consistent. You can safely parse the data columns regardless of Windows language.

2. Viewing vs. Modifying Requires Different Privileges

Reading the ARP cache with arp -a works for standard users. Clearing entries (arp -d) or adding static entries (arp -s) requires Administrator elevation.

3. Understand Multicast and Broadcast Entries

Entries in the 224.x.x.x through 239.x.x.x range are multicast addresses used for network discovery (printers, media streaming, mDNS). The entry 255.255.255.255 is the broadcast address. These are normal system entries and should not be deleted.

4. Use OUI Lookup for Device Identification

The first three pairs of a MAC address (the OUI, Organizationally Unique Identifier) identify the manufacturer. For example, 00-15-5d is Microsoft (Hyper-V), 00-50-56 is VMware, and ac-de-48 is Apple. This can help identify unknown devices on your network.

5. Dynamic Entries Expire Automatically

Dynamic ARP entries are temporary. If a device stops communicating, its entry will be removed after the timeout period (typically 15–45 seconds). You do not need to manually clean up stale dynamic entries, they will disappear on their own.

6. Use setlocal / endlocal

Always wrap scripts in setlocal and endlocal to prevent variables from leaking into the parent environment.

Final Thoughts

Displaying the ARP cache in a Batch script is a simple yet powerful diagnostic technique. The arp -a command provides immediate visibility into the physical devices communicating with your machine on the local network, and since its flags and output format are language-independent, scripts work reliably on any Windows installation. By combining arp with findstr filtering, careful partial-match prevention, and administrative maintenance commands, you can build tools for IP conflict diagnosis, rogue device detection, network auditing, and ARP cache maintenance. The key is understanding that ARP only operates within your local subnet, it reveals the physical hardware identities of your immediate network neighbors, not the broader internet.