Report: Networks

The address resolution protocol table, or ARP table, is the cached set of bindings between IP address (OSI layer 3) and their corresponding MAC address (layer 2). A socket is a logical communication endpoint in the transport layer specific to a machine, protocol, and port. Together they provide a snapshot of network activity on the target system.

Report Data: Arp

Following is the ARP table at the time the memory snapshot was taken of the centos 6 - 2.6.32-696.28.1.el6.x86_64 image from the samples gallery (requires authentication).

The following tables describes each column of the reported data.

Column	Description	Notes
Ip	IP (v4 or v6) address registered on the interface
Mac	The Media Access Control (MAC) hardware address of the interface
Dev Name	The network interface device name
Used
Dev Type

Report Data: Sockets

Following is a snapshot of the Network:Sockets table from the centos 6 - 2.6.32-696.28.1.el6.x86_64 image from the samples gallery (requires authentication).

The following tables describes each column of the reported data.

Column	Description	Notes
Pid	PID of the owning process
Process Name	Name of the owning process
Src Addr	Socket source IP (v4 or v6) address
Dst Addr	Socket destination IP (v4 or v6) address
Src Port	Socket source TCP port
Dst Port	Socket destination TCP port
Socket Type	Socket type	Can be STREAM, DATAGRAM, SEQPACKET, RAW
Socket State	Socket state	For example, LISTEN, OPEN, CLOSE, ESTAB, WAIT, ...
Socket Family	INET (IPv4) or INET6 (IPv6)
Ip Proto	Socket transport protocol	TCP or UDP

Forensic Hints

Patterns to look for: unexpected network connections

The same ARP table can be obtained from a running Linux system via the arp command, and the same set of network sockets can be obtained via the netstat -atu or ss -p -e -f inet commands; any difference between these sets (a) read from usermode and (b) derived from memory inspection should be investigated, as discussed here.