Ubuntu – How does the arp command resolve hostnames


When I run the arp command I get the following:

mark@mark-P8Z77-I-0:~$ arp
Address                  HWtype  HWaddress           Flags Mask            Iface            ether   08:86:3b:c8:d8:09   C                     eth0              ether   e0:91:f5:7c:7c:34   C                     eth0            ether   9c:d3:6d:b1:d3:49   C                     eth0            ether   94:10:3e:48:60:0d   C                     eth0
mark-N3050T              ether   d0:17:c2:ad:ff:58   C                     eth0            ether   b8:27:eb:ad:2e:72   C                     eth0                    (incomplete)                              eth0            ether   ec:1a:59:cb:42:25   C                     eth0            ether   54:4a:16:02:54:a8   C                     eth0            ether   84:ba:3b:05:6d:45   C                     eth0            ether   a4:77:33:2b:29:40   C                     eth0            ether   00:18:dd:04:6a:cc   C                     eth0
mark-N53Jf               ether   48:5d:60:71:7f:be   C                     eth0
gateway                  ether   28:c6:8e:20:a8:e5   C                     eth0

All three hostnames that are present in the report can also be pinged using ping hostname
The arp table, /proc/net/arp contains only ip addresses:

mark@mark-P8Z77-I-0:~$ cat /proc/net/arp
IP address       HW type     Flags       HW address            Mask     Device    0x1         0x2         08:86:3b:c8:d8:09     *        eth0      0x1         0x2         e0:91:f5:7c:7c:34     *        eth0    0x1         0x2         9c:d3:6d:b1:d3:49     *        eth0    0x1         0x2         94:10:3e:48:60:0d     *        eth0    0x1         0x2         d0:17:c2:ad:ff:58     *        eth0    0x1         0x2         b8:27:eb:ad:2e:72     *        eth0    0x1         0x0         00:00:00:00:00:00     *        eth0    0x1         0x2         ec:1a:59:cb:42:25     *        eth0    0x1         0x2         54:4a:16:02:54:a8     *        eth0    0x1         0x2         84:ba:3b:05:6d:45     *        eth0    0x1         0x2         a4:77:33:2b:29:40     *        eth0    0x1         0x2         00:18:dd:04:6a:cc     *        eth0    0x1         0x2         48:5d:60:71:7f:be     *        eth0      0x1         0x2         28:c6:8e:20:a8:e5     *        eth0

What service does the arp command and ping use to resolve the hostname?

I have tried several but the closest I get is avahi-browse. However it reports more hostnames on my network than arp reports and all have .local appended to the name.

Also two of the three hostnames that arp reports are remote ubuntu systems. I do not recall performing any special configuration on those systems to permit this behavior. The "gateway" hostname is provided by the router. One of the connected systems is a raspian system.

How would I configure the raspian for this behavior?
How are the hostnames transferred?

What command would I use to resolve these hostnames?

A final note: The hostnames seem to come and go based on how stale the data is but I have not fully investigated this. I only know that I need to ping from a given (ubuntu) host for it to capture hostnames of other systems. I have not scoped out what queries most rapidly fill this information.

After reviewing the comments as of 8:00PM EST Dec. 18. I can share the following information:
The hosts line in /etc/nsswitch.conf:

hosts:          files mdns4_minimal [NOTFOUND=return] resolve [!UNAVAIL=return] dns mdns4 myhostname

no remote hosts are listed in /etc/hosts

avahi-resolve-address resolves the following:    Failed to resolve: Timeout reached (is "gateway") raspberrypi.local    (shows in arp report as mark-3050T.local    (shows in arp as mark-3050T) is currently offline but is similar to

Though mark-N3050T is reported by arp, pinging it fails.
ping mark-N3050T.local fails but ping succeeds
ping gateway succeeds.
ping raspberrypi.local succeeds even though raspberrypi is not reported by arp

When I was writing my original post ping mark-N3050T would work so some ageing is occurring that removes this hostname. I have not found the command that will refresh the hostname. The difference between arp and ping is that arp is resolving an IP address to a hostname while ping is performing the opposite. However, I would expect symmetry in the answers.

I am only pursuing this to increase my understanding of how LAN networking works. I do appreciate anyone who is willing to assist me.

Best Answer

Here is the sequence:

  • At first arp gets it's data (cache) from /proc/net/arp, Linux exposes it's ARP cache via the psuedo procfs filesystem's /proc/net/arp file for the userland. The kernel does not store any domain name, only IP addresses; this is analogous to using arp -n

  • Now when you want arp to get you the hostnames, arp will simply follow the glibc's nsswitch configuration, precisely /etc/nsswitch.conf, and will try to get you the hostnames using the very sequence mentioned in that file e.g. an example is hosts: files mdns4 dns, in this case arp will:

    • Check the /etc/hosts file
    • Then mdns (Multicast DNS)
    • General DNS

    Just to note, if you see .local at the end of a domain name, then it's (presumably) resolved by mdns (unless you actually have such a TLD).

Related Question