All scripts
fault
Advanced
1–3 min

ARP / MAC Forensics

Network forensics for Layer 2/3 address anomalies: duplicate IP detection, MAC address flapping, stale ARP entry audit, DHCP snooping binding verification, and rogue host detection.

Cisco IOS/XE/NX-OS
Arista
HP
Open in GeneratorOpen in Platform
You're viewing a preview

The full script, parameters, and execution console are available with a free account.

Already have access? Sign in →

Capabilities

  • Duplicate IP detection
  • MAC flap timeline
  • Stale ARP audit
  • DHCP binding cross-check
  • Rogue DHCP server scan
  • Gratuitous ARP monitoring
  • L2 loop risk from MACs

Required inputs

Parameters the script accepts. Defaults shown; some are vendor- or context-gated.

ParameterTypeDefaultNotes
Stale ARP threshold (mins)
stale_arp_mins
number120
MAC flap window (mins)
mac_flap_window
number10
Cross-check DHCP bindings
check_dhcp
booltrue

Hint 1Name your vendors and OS versions

Mention the exact platforms you run (Cisco IOS/XE/NX-OS, Arista, HP) so the generated fault logic uses the right CLI/NETCONF syntax.

Hint 2State your real thresholds

Provide concrete values for Stale ARP threshold (mins), MAC flap window (mins), Cross-check DHCP bindings instead of the defaults — they shape what counts as a fault.

Hint 3Prioritize the checks you need

This tool can duplicate IP detection and mAC flap timeline. Ask for the subset relevant to your incident to keep output focused.

Hint 4Describe your inventory format

Tell the assistant whether your device list is CSV, YAML, or JSON and which columns it has, so parsing matches your data.

Sample inventory schema

Authoritative shape of the device/policy data this script consumes.

No bundled inventory sample. The script accepts standard device lists (CSV/YAML) with hostname, mgmt IP, vendor, and credentials.

Expected output

Reference terminal output the script should produce — used as a stylistic and structural target.

terminal
ARP / MAC FORENSICS REPORT
━━━━━━━━━━━━━━━━━━━━━━━━━━
Device: dist-sw-01 (172.16.0.1)

DUPLICATE IP ADDRESSES DETECTED:
  IP 10.0.100.45:
    MAC aa:bb:cc:dd:ee:01  Port Gi1/0/12  VLAN 100  (seen 14:20:15)
    MAC aa:bb:cc:dd:ee:99  Port Gi1/0/23  VLAN 100  (seen 14:22:03) ← CONFLICT!
  → Likely: static IP conflict or rogue host