All scripts
fault
Advanced
1–3 min
ARP / MAC Forensics
Network forensics for Layer 2/3 address anomalies: duplicate IP detection, MAC address flapping, stale ARP entry audit, DHCP snooping binding verification, and rogue host detection.
Cisco IOS/XE/NX-OS
Arista
HP
You're viewing a preview
The full script, parameters, and execution console are available with a free account.
Already have access? Sign in →
Capabilities
- Duplicate IP detection
- MAC flap timeline
- Stale ARP audit
- DHCP binding cross-check
- Rogue DHCP server scan
- Gratuitous ARP monitoring
- L2 loop risk from MACs
Required inputs
Parameters the script accepts. Defaults shown; some are vendor- or context-gated.
| Parameter | Type | Default | Notes |
|---|---|---|---|
Stale ARP threshold (mins) stale_arp_mins | number | 120 | — |
MAC flap window (mins) mac_flap_window | number | 10 | — |
Cross-check DHCP bindings check_dhcp | bool | true | — |
Sample inventory schema
Authoritative shape of the device/policy data this script consumes.
No bundled inventory sample. The script accepts standard device lists (CSV/YAML) with hostname, mgmt IP, vendor, and credentials.
Expected output
Reference terminal output the script should produce — used as a stylistic and structural target.
terminal
ARP / MAC FORENSICS REPORT
━━━━━━━━━━━━━━━━━━━━━━━━━━
Device: dist-sw-01 (172.16.0.1)
DUPLICATE IP ADDRESSES DETECTED:
IP 10.0.100.45:
MAC aa:bb:cc:dd:ee:01 Port Gi1/0/12 VLAN 100 (seen 14:20:15)
MAC aa:bb:cc:dd:ee:99 Port Gi1/0/23 VLAN 100 (seen 14:22:03) ← CONFLICT!
→ Likely: static IP conflict or rogue host