ARP Table
Overview
Section titled “Overview”Evidence: ARP Table
Description: Collect ARP Table
Category: Network
Platform: windows
Short Name: arpt
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”The ARP (Address Resolution Protocol) table maps IP addresses to physical MAC addresses on the local network. Windows maintains this cache for performance, storing recent IP-to-MAC mappings from network communication.
ARP cache can reveal devices the system has recently communicated with on the local network, including routers, file servers, and other workstations.
Data Collected
Section titled “Data Collected”This collector gathers structured data about arp table.
ARP Table Data
Section titled “ARP Table Data”| Field | Description | Example |
|---|---|---|
PhysicalAddress | MAC address | 00:50:56:C0:00:08 |
IPAddress | IP address | 192.168.1.1 |
Adapter | Network adapter index | 12 |
Type | Entry type | 4 (Static) |
Collection Method
Section titled “Collection Method”This collector uses Windows API to enumerate ARP cache:
GetIpNetTableto retrieve all ARP entries- Parses MAC addresses into readable format
- Records adapter associations
ARP entry types: Other (1), Invalid (2), Dynamic (3), Static (4).
Forensic Value
Section titled “Forensic Value”ARP cache reveals local network communication patterns. Investigators use this data to identify devices on the local network, detect ARP spoofing attacks, track lateral movement targets, identify network infrastructure devices, correlate with network connections, and detect man-in-the-middle attacks.