You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

what would be the reason for seeing question marks in my ARP table?

Curious as to why there are question marks next to each of my ip addresses? There's a (somewhat bizarre) website that's been setup alleging Etre Check to be malware, within which it says the presence of these in once's ARP table is evidence of spoofing..I'm obviously not treating this source as trustworthy but would like to know regardless.


Also, what's the deal with that site/its Etre Check claims? I can't see it being discussed anywhere; somebody is clearly highly motivated by some reason or another.


Anyway, thanks in advance.


MacBook Air 13″, macOS 11.4

Posted on Jun 1, 2021 5:46 PM

Reply
Question marked as Top-ranking reply

Posted on Jun 3, 2021 3:29 PM

Though I can't find a reference, by guess would be the ? indicate the entry was created "on the fly" as opposed to entering the linkage when the device is added to the network.


If you manage a network, you would create an arp table to restrict which devices are allowed. Nobody is doing that on your Mac. It just uses the broadcast message to find devices and allows it and maps the MAC to the IP address.

And, doing more searching, https://stackoverflow.com/questions/4317049/arp-command-what-does-it-all-mean-and-getting-a-wireless-router-mac-address

This seems to be saying the same thing as I stated.

Your Mac isn't running a "true" DNS, so there is no truth data to compare the MAC and determine if it is really the host it claims to be. So, technically, it could be something spoofing an address, but unless you map out your entire network, the ? means nothing.


That website is just spreading FUD much like the OK sign is a "white power" symbol. They picked a normal output of the command and falsely assigned it a malicious response.

7 replies
Question marked as Top-ranking reply

Jun 3, 2021 3:29 PM in response to Chargw_

Though I can't find a reference, by guess would be the ? indicate the entry was created "on the fly" as opposed to entering the linkage when the device is added to the network.


If you manage a network, you would create an arp table to restrict which devices are allowed. Nobody is doing that on your Mac. It just uses the broadcast message to find devices and allows it and maps the MAC to the IP address.

And, doing more searching, https://stackoverflow.com/questions/4317049/arp-command-what-does-it-all-mean-and-getting-a-wireless-router-mac-address

This seems to be saying the same thing as I stated.

Your Mac isn't running a "true" DNS, so there is no truth data to compare the MAC and determine if it is really the host it claims to be. So, technically, it could be something spoofing an address, but unless you map out your entire network, the ? means nothing.


That website is just spreading FUD much like the OK sign is a "white power" symbol. They picked a normal output of the command and falsely assigned it a malicious response.

Jun 1, 2021 6:00 PM in response to Chargw_

I cannot answer your question, but Linc Davis (supposedly the author of the script) has not been active here for quite a number of years - he just suddenly stopped being a contributor. It has been at least 5 - 8 years which - to me - would mean that most everything no longer applies given we are now 5 - 7 Mac OS versions later. Especially when one considers that we are now on Big Sur which has changed just about everything including the file system and the fact that you can no longer access your OS or system since they are now "sequestered" in a read only volume - neither you nor anyone or anything else has write access.


And yes, Linc was quite vocal about etrecheck. And, no, it is not malware.


And, important add on: I do not find any website that does not identify itself as to owner of site/company/ blogger/whatever with absolutely no way to contact him/her/them as trustworthy or, actually, I would not consider it worth looking at.

what would be the reason for seeing question marks in my ARP table?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.