Thursday, May 23, 2013

ARP Cache Behavior in Windows 8, 7 and Vista

This post applies to Windows 8, 7, Vista, 2012 and 2008.

If you depend on Ping Scanning to populate your Windows system ARP Cache, you may be in for a surprise. While Pinging a large number of local subnet IPs may populate your ARP cache, you may be surprised find that there are now limits in the size of the cache. In fact the cache size might be much smaller than you think.

When you Ping or send any IP packet for that matter to an IP address, the operating system checks the ARP cache to see if there is a MAC address for that IP. If it cannot find the IP, it sends an ARP request to the target IP whether in it's your subnet or not. If the target IP is in your subnet, the device responds with an ARP reply so that communication can begin on the MAC address level. That ARP reply contains an IP/MAC address pair that gets added to your ARP cache. If the IP is outside your subnet, the ARP reply comes from the default gateway and that IP/MAC pair gets added to the ARP cache.

We recently had a user move his Managed Switch Port Mapping Tool from Windows XP to Windows 7. He emailed to ask why he saw MAC Addresses but very few IP addresses. After much research we found that the ARP cache is no longer managed the way it was in XP and now defaults to a tiny 256 entry cache. And, what's more, the user found that his company had set the ARP cache to 10 IP/MAC addresses.

How to find out what your ARP cache size is now:
1. open a command prompt
2. enter this command and press Enter:
netsh interface ipv4 show global
3. make note of the Neighbor Cache Limit (second from the top). On this system it is 256 entries per interface.

While 256 may be enough for normal users, if you are ping scanning an IP range larger than 256 devices (like in a 10.x.x.x network) and expecting to see more results, you won't see them. In fact, our user was only seeing 10 because his company had set it at 10.

The good news is you can set your ARP cache size limit to a much larger number - here's how:
1. open an administrator command prompt
2. enter this command and press Enter:
netsh interface ipv4 set global neighborcachelimit = 4096

Want to learn more? Please visit