View Other Properties

Contents

View Other Properties

How to List ARP Cache Entries Across All Mac, Windows, and Linux Devices

Using Kolide, you can easily view and query ARP Cache Entries across your fleet.

Introduction

In order for a device to send certain types of messages with other devices on a local network, it must know the other device's MAC address. To obtain this information, a device will broadcast an ARP request on the network.

To speed up these future lookups for the same IP and MAC, many devices will save these responses for a period of time in what is known as an ARP Cache.

What ARP Cache Entry Data Can Kolide Collect?

Kolide's endpoint agent bundles in osquery to efficiently collect ARP Cache Entries from Mac, Windows, and Linux devices in your fleet. Once collected, Kolide will parse, clean up, and centrally store this data in Inventory for your team to view, query, or export via API.

Kolide meticulously documents every piece of data returned so you can understand the results.

ARP Cache Entries Schema

Column Type Description
id Primary Key

Unique identifier for the object

device_id Foreign Key

Device associated with the entry

device_name Text

Display name of the device associated with the entry

interface Text

Interface of the network for the MAC

ip_address Text

IPv4 address target

mac_address Text

MAC address of broadcasted address

collected_at Timestamp

Time the row of data was first collected in the database

updated_at Timestamp

Time the row of data was last changed in the database

Why Should I Collect ARP Cache Entries?

Motivated attackers can often spoof and hide their activities by poisoning the device's ARP cache. Collecting information about the ARP Cache can help administrators discover and detect entries that may be indicative of a compromised device on your local network.

End-User Privacy Consideration

Kolide practices Honest Security. We believe that data should be collected from end-user devices transparently and with privacy in mind.

The ARP Cache can provide administrators with information about other devices that are on the local networks your device connects to. A typical ARP cache will contain the unique identifiers of printers, routers, IoT devices, and other computers connected to your home network.

When you use Kolide to list ARP Cache Entry data from end-user devices, Kolide gives the people using those devices insight into exactly what data is collected, the privacy implications, and who on the IT team can see the data. This all happens in our end-user privacy center which can be accessed by employees through Slack or Google Workspace account.

Share this story:

Related Device Properties:

New
Mac App Schemes
apps, network, default-software
New
/etc/hosts Entries
network, dns
New
Windows Programs
software
View full list of Kolide's Device Properties
Try Kolide Free
Try Kolide Free