Report: Networks
The address resolution protocol table, or ARP table, is the cached set of bindings between IP address (OSI layer 3) and their corresponding MAC address (layer 2). A socket is a logical communication endpoint in the transport layer specific to a machine, protocol, and port. Together they provide a snapshot of network activity on the target system.
Report Data: Arp
Following is the ARP table at the time the memory snapshot was taken of the centos 6 - 2.6.32-696.28.1.el6.x86_64 image from the samples gallery (requires authentication).
The following tables describes each column of the reported data.
Column | Description | Notes |
---|---|---|
Ip | IP (v4 or v6) address registered on the interface | |
Mac | The Media Access Control (MAC) hardware address of the interface | |
Dev Name | The network interface device name | |
Used | ||
Dev Type |
Report Data: Sockets
Following is a snapshot of the Network:Sockets table from the centos 6 - 2.6.32-696.28.1.el6.x86_64 image from the samples gallery (requires authentication).
The following tables describes each column of the reported data.
Column | Description | Notes |
---|---|---|
Pid | PID of the owning process | |
Process Name | Name of the owning process | |
Src Addr | Socket source IP (v4 or v6) address | |
Dst Addr | Socket destination IP (v4 or v6) address | |
Src Port | Socket source TCP port | |
Dst Port | Socket destination TCP port | |
Socket Type | Socket type | Can be STREAM, DATAGRAM, SEQPACKET, RAW |
Socket State | Socket state | For example, LISTEN, OPEN, CLOSE, ESTAB, WAIT, ... |
Socket Family | INET (IPv4) or INET6 (IPv6) | |
Ip Proto | Socket transport protocol | TCP or UDP |
Forensic Hints
Patterns to look for: unexpected network connections
The same ARP table can be obtained from a running Linux system via the
arp
command, and the same set of network sockets can be obtained via
the netstat -atu
or ss -p -e -f inet
commands; any difference
between these sets (a) read from usermode and (b) derived from memory
inspection should be investigated, as discussed here.