OIT Network Switching and Routing

Hardware Address Last in IP ARP Data (HALIAD)

The Hardware Address Last in IP ARP Data (HALIAD) facility allows you to search recent IP ARP data collected by OIT. Specifically, you may search for a hardware address in that data, to learn the most-recent date on which that hardware address appeared. For example, you might use HALIAD to learn that hardware address 0:01:23:4a:b:dc last appeared in the IP ARP data collected by OIT on October 15 2007.

To search for a hardware address in HALIAD, visit the Hardware Address Last in IP ARP Data (HALIAD) Search page. Access is restricted to Web clients in the princeton.edu DNS domain, and also requires you to login using an OIT netid and password.

OIT provides HALIAD in response to requests from technical support staff who wish to have access to this data. We do not expect the facility to be used by most customers; its intended audience is technical support staff who understand what an IP ARP cache is.

The remainder of this document provides detailed information about HALIAD. While you need not read this information to use HALIAD, you may need this information to correctly interpret the results provided by HALIAD. There are a surprising number of technical details regarding what information HALIAD can and cannot provide. Without understanding them, it is easy to misinterpret HALIAD. For example, it would be an error to interpret the absence of a device's hardware address from HALIAD as clear indication that the device is not attached to the network.

Contents

  1. HALIAD Search Page
  2. From Where Does HALIAD Get its Data?
  3. HALIAD Isn't Omniscient
  4. How is HALIAD Related to Network Registration?
  5. Privacy Issues

HALIAD Search Page

To search for a hardware address in HALIAD, visit the Hardware Address Last in IP ARP Data (HALIAD) Search page. Access is restricted to Web clients in the princeton.edu DNS domain, and also requires you to login using an OIT netid and password.


From Where Does HALIAD Get its Data?

On most OIT networks, a daily record is made of all the topologically reasonable IPv4 addreses that were in-use (even briefly) on that day.

Specifically, we mean that some device used ARP to say "I'm using this IPv4 address" at some point during the day, and that at that time, the device was attached to the IP subnet appropriate for that IP address. Or that a DHCP server offered a lease on that IPv4 address to the client, in response to a DHCPDISCOVER from the client. Or that a DHCP server awarded a lease on that IPv4 address to the client, in response to a DHCPREQUEST from the client in DHCP INIT-REBOOT state. Or that the client performed Detection of Network Attachment (DNAv4) with that IP address as its claimed IP address, while it was attached to the IP subnet appropriate for that IP address.

Shortly after each day begins, we process the ARP data collected during the previous day, using it to update HALIAD.

HALIAD only records the most-recent date that a hardware address was seen in the IP ARP data. It does not record a history of use. When you search HALIAD, you can only learn the most-recent date the hardware address was seen.

HALIAD data more than approximately two years old is discarded. If you search HALIAD for a hardware address that has not been seen in the IP ARP data for more than approximately two years, you will not find it in HALIAD.

If you search HALIAD at the start of the day, before the previous calendar day's ARP data has been incorporated into HALIAD, the most recent IP ARP data available to HALIAD will be two days old. Once the previous day's IP ARP data has been incorporated into HALIAD, the most recent data available to HALIAD will be one day old. HALIAD does not include data from the current calendar day.

The results of a HALIAD search will show what period is currently included in the HALIAD data; for example, "March 17 2006 - March 16 2008". This information is displayed regardless of whether the hardware address you specified was found in the HALIAD data.

For the technically inclined, here are more details:


HALIAD Isn't Omniscient

HALIAD relies on the IPv4 ARP data collected from some traditional OIT IP routers. As a result, there are certain things it cannot know about:

Based on this information, you should be able to see that you cannot conclude that a device is not attached to the campus network just because its hardware address doesn't appear in HALIAD, There are a variety of common situations above in which a device may indeed be attached to the campus network, but not appear in HALIAD. (Of course, in some of these situations, the device is physically attached but not receiving useful network service.)

This limits the usefulness of HALIAD; when it shows a hardware address appears in the recent IP ARP data, it confirms that the hardware address has been attached to the network recently. But when it shows a hardware does not appear in the recent IP ARP data, one can draw no conclusion as to whether the device has been attached to the network recently. Despite this limitation, we make HALIAD available in response to requests from technical support staff who wish to have access to this data.


How is HALIAD Related to Network Registration?

HALIAD has no direct relationship to the Network Registration. HALIAD simply reads the IP ARP Data we obtain from IP routers; it doesn't care whether the IP addresses and hardware addresses in that data happen to appear in Network Registration.

This means, for example, that deleting an entry from Network Registration does not cause the device's hardware address(es) to be discarded from HALIAD. Nor does adding an entry to Network Registration cause hardware address(es) to be added to HALIAD. There's no direct relationship between Network Registration and HALIAD.

This is intentional; Network Registration and the routers' IP ARP tables are entirely different things. And it's perfectly reasonable to be able to delete an entry from Network Registration, and later wish to see when one of that entry's hardware addresses was last in the recent ARP data.

(For the technical inclined: there can sometimes be an indirect relationship between Network Registration and HALIAD. For example, consider a device obtaining an IP address via OIT-provided DHCP service in a manner that relies on the device being registered in Network Registration. Once that device's entry is deleted from Network Registration, the device may no longer obtain an IP address via OIT-provided DHCP service. Once the device is no longer able to obtain an IP address, and it stops using an appropriate IP address, it will stop appearing the OIT IP router's IP ARP cache. That will cause the device's "last seen" date in HALIAD to stop changing; HALIAD will continue to show the last date the hardware addresse used a topologically valid IP address. Assuming the device continues to not use a topologically valid IP address, its HALIAD record will eventually be discarded after approximately two years. So the removal of the entry from Network Registration influenced the HALIAD data, but in an indirect fashion.)


Privacy Issues

OIT recognizes that providing information about the usage of a network device can raise privacy concerns. We believe that HALIAD addresses these concerns because the information HALIAD provides is deliberately limited:


A service of OIT Network Switching and Routing
The Office of Information Technology,
Princeton University
Last Updated: March 21 2024