mirror of
https://github.com/fleetdm/fleet
synced 2026-05-06 06:48:54 +00:00
26 lines
1.2 KiB
YAML
26 lines
1.2 KiB
YAML
name: arp_cache
|
|
description: The Address Resolution Protocol (ARP) cache maps IP addresses to MAC addresses in the network stack on Linux, macOS & Windows.
|
|
examples: |-
|
|
Basic query:
|
|
|
|
```
|
|
SELECT address, interface, mac FROM arp_cache;
|
|
```
|
|
|
|
Compare gateway IP addresses (which are typically routers) to a list of known MAC addresses:
|
|
|
|
```
|
|
SELECT * FROM arp_cache WHERE address IN (INSERT_GATEWAY_IPS) AND mac NOT IN (INSERT_EXPECTED_MAC_ADDRESSES);
|
|
```
|
|
notes: |-
|
|
The first six digits of a MAC address are the known as the [Organizationally Unique Identifier](https://en.wikipedia.org/wiki/Organizationally_unique_identifier)
|
|
|
|
Manufacturer and model information can be looked up by MAC address using [Wireshark OUI Lookup](https://www.wireshark.org/tools/oui-lookup.html)
|
|
|
|
OUI is used to populate manufacturer information in applications like [Wi-Fi Explorer](https://www.intuitibits.com/products/wifiexplorer/)
|
|
|
|
Monitoring the [ARP Cache](https://en.wikipedia.org/wiki/ARP_cache) is useful for maintaining network integrity & security. Querying data from this table can help to:
|
|
|
|
- Find network anomalies
|
|
- Troubleshoot network connectivity
|
|
- Uncover [ARP Spoofing](https://en.wikipedia.org/wiki/ARP_spoofing)
|