Thiago Teixeira
EN | PT

arp

Inspect the local ARP cache to map IPs to MAC addresses.

Network Recon & Monitoring Built-in OS CLI Practiced in lab Windows Linux macOS

Cyber Kill Chain & Defender Lifecycle

Attacker — Kill Chain
1 Reconnaissance
2 Weaponization
3 Delivery
4 Exploitation
5 Installation
6 Command & Control
7 Actions on Objectives
Defender — IR Lifecycle
8 Detection / Monitoring
9 Containment & Eradication
10 Post-incident Forensics

Description

arp displays the local ARP cache — the IP↔MAC mappings the host currently believes to be true on its L2 segment.

Why analysts care:

  • ARP poisoning / spoofing rewrites the cache so traffic to the gateway is silently redirected to an attacker (classic MitM).
  • Comparing two hosts' ARP tables can expose impostor MACs.
  • Many enterprise tools (NAC, VLAN monitors) consume ARP data to track host presence.

Use cases

  • Detecting ARP-spoofing MitM on a LAN
  • Validating the gateway MAC during incident triage
  • Building a quick L2 inventory of a subnet

Example

arp -a
ip neigh show