ARP Tables & MAC Address Tables

networkNetwork TrafficNetwork CaptureSIEM / Log Aggregator

Location

Network switch CAM/MAC tables (show mac address-table) and endpoint ARP caches (arp -a, ip neigh)

Description

Layer 2 address resolution data mapping IP addresses to MAC addresses (ARP tables) and MAC addresses to physical switch ports (CAM/MAC address tables). Provides physical network topology mapping at the data-link layer.

Forensic Value

ARP and MAC address tables enable physical-layer attribution by mapping IP addresses through MAC addresses to specific switch ports and physical locations. This chain of evidence (IP → MAC → switch port → building/floor/jack) provides definitive device identification even when IP addresses change. Duplicate MAC addresses or IP addresses in ARP tables indicate ARP spoofing attacks. Historical snapshots of MAC address tables can prove which device occupied a specific network port at incident time. Rogue devices appear as unknown MACs on monitored ports.

Tools Required

show mac address-table (Cisco)arp -aip neighSIEM (Splunk, Elastic)nmap

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical