Self-Remediation via Okta
Engage end-users during auth to self-remediate issues
Security & Compliance Checks
Monitor your entire Linux, Mac, and Windows fleet
Device Inventory
Your fleet represented in thousands of data points
Implement Zero Trust Access
Prevent unsecure devices from accessing your apps
Achieve 100% Device Compliance
Measure, achieve, and maintain your compliance goals
Gain Fleet Visibility
Become "all knowing" across Linux, Mac, and Windows
Help / Docs Product Changelog App Security Company
From the blog
View Other Properties

Contents

View Other Properties

How to List ARP Cache Entries Across All Mac, Windows, and Linux Devices

Using Kolide, you can easily view and query ARP Cache Entries across your fleet.

Introduction

In order for a device to send certain types of messages with other devices on a local network, it must know the other device's MAC address. To obtain this information, a device will broadcast an ARP request on the network.

To speed up these future lookups for the same IP and MAC, many devices will save these responses for a period of time in what is known as an ARP Cache.

What ARP Cache Entry Data Can Kolide Collect?

Kolide's endpoint agent bundles in osquery to efficiently collect ARP Cache Entries from Mac, Windows, and Linux devices in your fleet. Once collected, Kolide will parse, clean up, and centrally store this data in Inventory for your team to view, query, or export via API.

Kolide meticulously documents every piece of data returned so you can understand the results.

ARP Cache Entries Schema

Column Type Description
id Primary Key

Unique identifier for the object
device_id Foreign Key

Device associated with the entry
device_name Text

Display name of the device associated with the entry
interface Text

Interface of the network for the MAC
ip_address Text

IPv4 address target
mac_address Text

MAC address of broadcasted address
collected_at Timestamp

Time the row of data was first collected in the database
updated_at Timestamp

Time the row of data was last changed in the database

Why Should I Collect ARP Cache Entries?

Motivated attackers can often spoof and hide their activities by poisoning the device's ARP cache. Collecting information about the ARP Cache can help administrators discover and detect entries that may be indicative of a compromised device on your local network.

End-User Privacy Consideration

Kolide practices Honest Security. We believe that data should be collected from end-user devices transparently and with privacy in mind.

The ARP Cache can provide administrators with information about other devices that are on the local networks your device connects to. A typical ARP cache will contain the unique identifiers of printers, routers, IoT devices, and other computers connected to your home network.

When you use Kolide to list ARP Cache Entry data from end-user devices, Kolide gives the people using those devices insight into exactly what data is collected, the privacy implications, and who on the IT team can see the data. This all happens in our end-user privacy center which can be accessed directly by employees.

Share this story:

Related Device Properties:

New
Mac App Schemes
apps, network, default-software
New
DNS Resolvers
network, dns
New
/etc/hosts Entries
network, dns
View full list of Kolide's Device Properties
Book A Demo
Zero Trust Access
Designed for Okta
Book A Demo