ARP Cache in Windows

The Address Resolution Protocol (ARP) cache is where all the IP-to-MAC address mappings of the hosts in the local network segment are maintained. The TCP/IP implementation in Windows Vista and above follows RFC-4861 (Neighbor Discovery Protocol for IPv6) for both the IPv4 and IPv6 Neighbor Discovery process.

Following the specifications of RFC-4861, the life cycle of an ARP entry can be described as follows:


  1. If an ARP entry (address mapping) is not in the ARP cache for which an IP datagram is to be delivered, the host sends an ARP request broadcast.
  2. If an ARP entry does exist and satisfies certain conditions, it enters into “Reachable” state meaning the node it represents is reachable via the MAC address it maps the IP address to.
  3. The ARP entry in “Reachable” stays in that state so long the “Reachable Time” doesn’t expire. The Reachable Time is the ARP entry’s life time.
  4. The ARP entry whose Reachable Time has expired would enter into “Stale” state — a precursor state for its removal from the ARP cache.

Run “arp -a” to list all the ARP entries in the cache.

C:\WINDOWS\system32>arp -a

Interface: --- 0x2
  Internet Address      Physical Address      Type           6c-72-20-d3-19-fb     dynamic           a0-e4-53-6f-f7-4f     dynamic             01-00-5e-00-00-02     static            01-00-5e-00-00-16     static           01-00-5e-00-00-fb     static           01-00-5e-00-00-fc     static           01-00-5e-00-00-fd     static       01-00-5e-7f-ff-fa     static

The Reachable Time

ARP age timeout threshold is called Reachable Time in Windows (following RFC-4861). It is calculated as,

Reachable Time = (Base Reachable Time) x (Random value between MIN_RANDOM_COUNT and MAX_RANDOM_COUNT)
where by default, Base Reachable Time (BRT) = 30 seconds
                           MIN_RANDOM_COUNT = 0.5
                           MAX_RANDOM_COUNT = 1.5

With the values substituted, the Reachable Time for an ARP entry ranges from 15 to 45 seconds.

We can change the BRT which in turn changes the Reachable Time via the netsh utility from an elevated command prompt.

First get the network adapter’s index by running,

netsh interface ipv4 show interfaces


The second item in the list having index number 7 is my wired Ethernet adapter. The index number various from PC to PC.

Next change the BRT by running,

netsh interface ipv4 set interface INTERFACE_INDEX basereachabletime=n

Here, “INTERFACE_INDEX” is the network adapter id obtained in the previous step and “n” is the time value in milliseconds. For instance, to change the BRT to one minute, I’ve to run,

netsh interface ipv4 set interface 7 basereachabletime=60000

The Reachable Time values for an interface can be listed like so:

netsh interface ipv4 show interface INTERFACE_INDEX | find "Reachable Time"


As can be seen, the Base Reachable Time was 30000 ms initially (the default value). After setting it to 60000 ms, the Reachable Time became 72000 ms from 27500 ms.

As an arithmetic exercise we can calculate the random value chosen by the OS as,
RANDOM value = Reachable Time / Base Reachable Time
Default case: RANDOM value = 30000/27500 = 1.091
Updated case: RANDOM value = 72000/60000 = 1.2
And both are within the range 0.5–1.5 as predicated by RFC-4861.

Check out Protocol of The Week: ARP for a rigorous inside-out conceptual analysis of ARP.