Clearing the arp table. Clearing network address caches. Clearing the DNS cache

Windows OS works very carefully with the network. So gentle that out-of-date node data can be stored in cache for years.

Symptoms of outdated data can range from:

• a ping by name goes to one address, and an attempt to connect to a terminal or resource by the same name goes to another;
• when the gateway is physically changed (one device is replaced by another, but with the same IP address), the Internet disappears;
• IP address conflicts appear in local network, which is indicated by the balloon above the clock;
• Remote printers stop working
• and a lot of other pleasures

Why does this happen? Because there are several network caches, and the data in them ceases to correspond not only to the real state of affairs on the network, but also to each other.

It can be cured using a completely standard procedure.

0. Disconnect from the local network

A running network may prevent all existing caches from being cleared correctly.

1. Clear the ARP cache

On a local network, computers communicate with each other not via IP, but via MAC addresses, that is, at a lower (link) level.
When contacting to a remote computer over IP, the first step is a broadcast request to obtain its physical address. The received address is dropped into the ARP cache to speed up subsequent requests. And only then is there a connection to the remote machine, but not via IP, but via MAC address.
In normal mode, the ARP cache entry is stored for two minutes from the last access, but no more than 10 minutes.

2. Clear the NetBIOS cache

This cache contains mappings of computers' NetBIOS names to their IP addresses. If you are lucky and there is also a WINS server on the network (something like DNS for NetBIOS names), it makes sense to clean that too.
Immediately after clearing this cache, entries from the LMHOSTS file (%SystemRoot%\System32\drivers\etc\lmhosts) are loaded there.

Many people consider the NetBIOS protocol to be outdated, but Microsoft treats it like a bag of dust. Without it, Windows behaves inappropriately on the network. At the same time, with it it creates a wild broadcast flood on the ports.

The kido virus favors the use of NetBIOS.

3. Clear the DNS cache

ipconfig /flushdns

Everything is clear here. The DNS cache is a mapping of hosts' network names to their IP addresses.
It also loads records from HOSTS file(%SystemRoot%\System32\drivers\etc\hosts)

By the way, viruses love to change the location of the HOSTS file.

And the path to it is set in the registry, branch HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters , key DataBasePath , type REG_EXPAND_SZ .

If the command returns an error, you need to start (or restart) the DNS client service.

4. Restore connection to the local network

5. Update network settings via DHCP

The command sends a request to the last used DHCP server (the address of this server) to obtain network settings.

All the described procedures can be done in crowds and from graphics.

In HR: Start → Control Panel → Network connections.
On the desired connection, right-click and select from the menu “ Restore" After this, the following operations will be performed:

1. Broadcast DHCP request. Responses come from all DHCP servers.
2. Clearing the ARP cache
3. Clearing the NetBIOS cache. With subsequent downloading of the LMHOSTS.
4. Clearing the DNS cache. With subsequent downloading of the HOSTS file.
5. Attempting to register in WINS (relevant only if it exists)
6. Attempting to register in DNS (relevant only for AD)

Unfortunately, this easy method does not work well and does not always work.

When computers access DNS information, the name and address mappings found are temporarily stored in an ARP (Address Resolution Protocol) cache so that the next time the same information is accessed, the search does not have to be done again. This information ages according to the TTL (Time-To-Live) value set when it is received, and at the end of its lifetime, such information must be updated.

When new information is received, a new TTL value is set. In general this automatic system retrieving, cleaning and updating information about name and address mappings works well. But sometimes outdated information manages to cause problems before it is reset. So, if the DNS name on a computer changes and the TTL value has not yet been reset, you will temporarily lose the ability to find that computer.

Deleting old information about name mappings

DNS administrators have a few tricks up their sleeves that can help reduce the negative impact of name changes, such as setting a lower TTL before changing the name so that old information is deleted faster and doesn't cause problems. However, you may find that it's easier to simply get rid of the old data and have your computer look up the DNS information again.

To do this, enter on the command line or delete arpcache(if the Interface IP context in Netsh is already installed). This will remove name and address mapping information for all interfaces configured on this computer.

Example of using clear arp cache

If you have several interfaces and you want to reset information for only one interface, specify the desired interface using InterfaceName, for example:

• netsh interface ip delete arpcache
• delete arpcache

Hi all! Today I will tell you how to watch arp table on Windows. What is arp - an address recognition protocol designed to convert IP addresses to MAC addresses, often also called physical addresses. Earlier I already told you what a cisco arp table looks like. I think that many colleagues who are just starting to get acquainted with network infrastructure given operating system, this information will provide good assistance for the formation of the foundation. The main thing here is to understand the principle of operation and purpose; everything else is the nuances of different vendors.

An important feature of the Ethernet interface is that each interface card has its own unique address. Each card manufacturer is allocated its own pool of addresses within which it can issue cards. According to the Ethernet protocol, each interface has a 6-byte address. The address is written as six groups of hexadecimal digits of two each (hexadecimal byte notation). The first three bytes are called the prefix, and they are assigned to the manufacturer. Each prefix defines 224 different combinations, which is equal to almost 17 million addresses.

In networks there is no one-to-one correspondence between the physical address of a network interface (MAC address network card) and its IP address. Searching for the corresponding Ethernet address by IP address is performed by the ARP protocol, which operates at the media access level. The protocol supports random access memory a dynamic arp table for the purpose of caching the received information. Open the command line in Windows.

How to view the arp table

Enter the command

Where you see the IP address on the left, and on the right you see the Physical address (mac address). This is the windows arp table.

By default, this cache lives for 300 seconds.

clearing arp table

Done using the command

And we see that the arp table has been cleared

How to add your entry to the arp table

This is done using the command

arp -s 157.55.85.212 00-aa-00-62-c6-09

Increasing the lifetime of an arp record in Windows 7 to 10

Let's look at the example of Windows 8.1 to see how you can increase the lifetime of arp records, why this may be necessary, well, to relieve the network of excess traffic if there is little that changes on your network. This is all done through Windows registry

Press Win+R and enter regedit and go to the branch

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

Here, to change the period of data storage in the ARP cache, you need to create a DWORD Parameter, if your system is 32-bit, then create 32, if 64, then the same.

We set the name ArpCacheLife and set the value in seconds, after which you need to reboot and your arp record lifetime will change.

Here is the complete help for the arp command

Display and change IP to physical address conversion tables,
used by the Address Resolution Protocol (ARP).

ARP -s inet_addr eth_addr
ARP -d inet_addr
ARP -a [-N if_addr] [-v]

• -a Displays current ARP entries by querying for current protocol data. If inet_addr is specified, then the IP and physical addresses only for the specified computer will be displayed. If ARPs are used on more than one network interface, then entries for each table will be displayed.
• -g Same as -a option.
• -v Displays current ARP entries in verbose logging mode. All invalid entries and entries in the interface feedback will be displayed.
  inet_addr Specifies the IP address.
• -N if_addr Displays ARP entries for the network interface specified in if_addr.
• -d Removes the node specified by inet_addr. The inet_addr parameter can contain the wildcard * to remove all nodes.
• -s Adds a host and associates the Internet address inet_addr with the physical address eth_addr. The physical address is specified as 6 bytes (in hexadecimal), separated by a hyphen. This association is permanent. eth_addr Defines the physical address.
• if_addr - If specified, it specifies the address of the Internet interface whose address translation table should change. If the parameter is not specified, the first available interface will be used.

RARP

Reverse ARP, the reverse ARP protocol is used to ensure that, according to existing MAC address find out the IP address. This protocol is used in diskless machines (https://ru.wikipedia.org/wiki/Diskless_workstation) that boot over the network. First of all, such a machine must find out its IP address and network parameters so that it can access the network, say, a TFTP server from which it will download boot entry. The only thing this machine knows about itself is its MAC address.

When working on a local network, it happens that some node or server on the network suddenly becomes inaccessible, while it is visible from other computers and there are no problems with access. Sometimes the reason for this may be that this computer has The MAC address of the network adapter has changed. In this case, on a computer from which the node is inaccessible, arp cache was not updated.

What is arp cache?

ARP cache this is actually a table of correspondence between IP addresses and physical addresses network adapters. This table is updated whenever necessary, but sometimes it may not update. The reason may be system failure or ARP spoofing attack to the computer, after which some nodes on the network may be unavailable and some websites may not open.

How to manually update the arp cache on Windows7 and Windows 8?!

View ARP table on a computer running an operating system Windows systems possible from command line. To open the command line, you need to press the button Start and in the program search bar write Command line . As a result of the search, you will see a shortcut to launch command Windows strings. To run it with Administrator rights, you need to click on the shortcut right click mice:

In the opened context menu select an item Run as Administrator. For ARP table view enter the command arp -a :

After that, to clear the ARP cache you need to enter the command: netsh interface ip delete arpcache
After executing the command, The ARP cache will be cleared.