ARP Table

Overview

Evidence: ARP Table Description: Collect ARP Table Category: Network Platform: Windows Short Name: arpt Is Parsed: Yes - ARP table parsed into structured format Sent to Investigation Hub: Yes Collect File(s): No

Background

The ARP (Address Resolution Protocol) table maps IP addresses to physical MAC addresses on the local network. Windows maintains this cache for performance, storing recent IP-to-MAC mappings from network communication.

ARP cache can reveal devices the system has recently communicated with on the local network, including routers, file servers, and other workstations.

Data Collected

Collection Method

This collector uses Windows API to enumerate ARP cache:

• GetIpNetTable to retrieve all ARP entries

• Parses MAC addresses into readable format

• Records adapter associations

ARP entry types: Other (1), Invalid (2), Dynamic (3), Static (4).

Usage

ARP cache reveals local network communication patterns. Investigators use this data to identify devices on the local network, detect ARP spoofing attacks, track lateral movement targets, identify network infrastructure devices, correlate with network connections, and detect man-in-the-middle attacks.

Known Limitations

• Highly volatile (entries timeout)

• Limited to local network subnet

• Static entries may be fake (ARP spoofing)

• Cache size is limited

Notes

ARP cache is point-in-time and highly volatile. Entries typically expire after 2-10 minutes of inactivity. Cross-reference with TCP/UDP connection data for complete network picture.