Early this morning I sent a private message to the OP to understand why he was asking this question. It looked from his reply that the objective was to find whether someone had entered the same IP address on different workstations and accessed some unauthorized site.
Not sure if the following is a good suggestion but I thought if he looked at /var/log/messages on his firewall he may be able to see stuff such as: Jun 23 01:53:12 fw1 /bsd: arp info overwritten for 10.20.0.216 by 58:55:ca:43:83:91 on em0 Jun 23 01:53:12 fw1 /bsd: arp info overwritten for 10.20.0.216 by 00:f7:6f:d4:3d:b6 on em0 etc. and correlate back. Vijay Sent from my iPhone >> On Jun 23, 2017, at 06:47, Stuart Henderson <s...@spacehopper.org> wrote: >> >> On 2017-06-23, Indunil Jayasooriya <induni...@gmail.com> wrote: >> Is there any way to get an MAC address of a PC that was connected to >> OpenBSD PF box but now it is NOT connect to. > > If the PF box was serving DHCP and the PC fetched its address that way, > it will likely still be in the lease database, /var/db/dhcpd.leases. > > If this is something which might come up again in the future, you can > run arpwatch (in ports), but it's no time machine. > >