Address resolution cache, both static and dynamic (from ARP, NDP).
name: Windows.Network.ArpCache
description: Address resolution cache, both static and dynamic (from ARP, NDP).
parameters:
- name: wmiQuery
default: |
SELECT AddressFamily, Store, State, InterfaceIndex, IPAddress,
InterfaceAlias, LinkLayerAddress
from MSFT_NetNeighbor
- name: wmiNamespace
default: ROOT\StandardCimv2
- name: kMapOfState
default: |
{
"0": "Unreachable",
"1": "Incomplete",
"2": "Probe",
"3": "Delay",
"4": "Stale",
"5": "Reachable",
"6": "Permanent",
"7": "TBD"
}
sources:
- precondition:
SELECT OS From info() where OS = 'windows'
query: |
LET interfaces <=
SELECT Index, HardwareAddr, IP
FROM Artifact.Windows.Network.InterfaceAddresses()
LET arp_cache = SELECT if(condition=AddressFamily=23,
then="IPv6",
else=if(condition=AddressFamily=2,
then="IPv4",
else=AddressFamily)) as AddressFamily,
if(condition=Store=0,
then="Persistent",
else=if(condition=(Store=1),
then="Active",
else="?")) as Store,
get(item=parse_json(data=kMapOfState),
member=encode(string=State, type='string')) AS State,
InterfaceIndex, IPAddress,
InterfaceAlias, LinkLayerAddress
FROM wmi(query=wmiQuery, namespace=wmiNamespace)
SELECT * FROM foreach(
row=arp_cache,
query={
SELECT AddressFamily, Store, State, InterfaceIndex,
IP AS LocalAddress, HardwareAddr, IPAddress as RemoteAddress,
InterfaceAlias, LinkLayerAddress AS RemoteMACAddress
FROM interfaces
WHERE InterfaceIndex = Index
})