name: arp_cache
description: The Address Resolution Protocol (ARP) cache maps IP addresses to MAC addresses in the network stack on Linux, macOS & Windows.
examples: |-
  Basic query:

  ```
  SELECT address, interface, mac FROM arp_cache;
  ```

  Compare gateway IP addresses (which are typically routers) to a list of known MAC addresses:

  ```
  SELECT * FROM arp_cache WHERE address IN (INSERT_GATEWAY_IPS) AND mac NOT IN (INSERT_EXPECTED_MAC_ADDRESSES);
  ```
notes: |-
  The first six digits of a MAC address are the known as the [Organizationally Unique Identifier](https://en.wikipedia.org/wiki/Organizationally_unique_identifier)

  Manufacturer and model information can be looked up by MAC address using [Wireshark OUI Lookup](https://www.wireshark.org/tools/oui-lookup.html)

  OUI is used to populate manufacturer information in applications like [Wi-Fi Explorer](https://www.intuitibits.com/products/wifiexplorer/)

  Monitoring the [ARP Cache](https://en.wikipedia.org/wiki/ARP_cache) is useful for maintaining network integrity & security. Querying data from this table can help to:

    - Find network anomalies
    - Troubleshoot network connectivity
    - Uncover [ARP Spoofing](https://en.wikipedia.org/wiki/ARP_spoofing)