ARP Table

Overview

Evidence: ARP Table Description: Collect ARP Table Category: Network Platform: windows Short Name: arpt Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

The ARP (Address Resolution Protocol) table maps IP addresses to physical MAC addresses on the local network. Windows maintains this cache for performance, storing recent IP-to-MAC mappings from network communication.

ARP cache can reveal devices the system has recently communicated with on the local network, including routers, file servers, and other workstations.

Data Collected

This collector gathers structured data about arp table.

ARP Table Data

Field

Description

Example

PhysicalAddress

MAC address

00:50:56:C0:00:08

IPAddress

IP address

192.168.1.1

Adapter

Network adapter index

Type

Entry type

4 (Static)

Collection Method

This collector uses Windows API to enumerate ARP cache:

GetIpNetTable to retrieve all ARP entries
Parses MAC addresses into readable format
Records adapter associations

ARP entry types: Other (1), Invalid (2), Dynamic (3), Static (4).

Forensic Value

ARP cache reveals local network communication patterns. Investigators use this data to identify devices on the local network, detect ARP spoofing attacks, track lateral movement targets, identify network infrastructure devices, correlate with network connections, and detect man-in-the-middle attacks.

PreviousAppPaths NextAvast Logs

Last updated 4 days ago

Was this helpful?