"Fossies" - the Fresh Open Source Software archive

Member "arpwatch-NG1.7/arpwatch.8" of archive arpwatch-NG1.7.tar.gz:

ARPWATCH

Section: Maintenance Commands (8)
Updated: 13 SEPTEMBER 2006
Index
 

NAME

arpwatch NG - keep track of ethernet/ip address pairings  

SYNOPSIS

arpwatch [ -d ] [ -f data_file ]

          [ -i interface ] [ -n net[/width ]] [ -N ] [ -r pcap_file ]

          [ -p ] [ -P pcap_filter ]

          [ -m report_mode ]

          [ -s sendmail_prog ] [ -t mail_to ] [ -F mail_from ]

          [ -u username ]

 

DESCRIPTION

arpwatch keeps track for ethernet/ip address pairings. It syslogs activity and reports certain changes via email. arpwatch uses pcap(3) to listen for arp packets on a local ethernet interface.

-d is used enable debugging. This also inhibits forking into the background and emailing the reports. Instead, they are sent to stdout.

-f is used to set the ethernet/ip address database filename. The default is arp.dat.

-i is used to override the default interface.

-n specifies additional local networks. This can be useful to avoid "bogon" warnings when there is more than one network running on the same wire. If the optional width is not specified, the default netmask for the network's class is used.

-N disables reporting any bogons; see option -n.

-r is used to specify a savefile (perhaps created by tcpdump(1) or pcapture(1)) to read from instead of reading from the network. In this case, arpwatch does not fork.

-m selects the output mode (report mode). Currently, 0 means the old mode (via sendmail), 1 is a simple stdout mode and arpwatch will not fork into the background. 2 means raw mode, where the fields are separated by a ",". Default is 0.

-p flag disables promiscuous operation. ARP broadcasts get through hubs without having the interface in promiscuous mode, while saving considerable resources that would be wasted on processing gigabytes of non-broadcast traffic. OTOH, setting promiscuous mode does not mean getting 100% traffic that would concern arpwatch.

-P option allows to specify a pcap filter expression for the traffic that will be watched by arpwatch. Prepended will be "(arp or rarp) and" to select only the ARP traffic. For expression please see tcpdump(8). Expressions must be enclosed in quotation marks ("").

Example: arpwatch -P "src net 10.20.23.0/24"

-s flag is used to specify the path to the sendmail program. Any program that takes the option -odi and then text from stdin can be substituted. This is useful for redirecting reports to log files instead of mail

-F option is used to specify From: field of the report message. By default arpwatch.

-t option is used to specify the e-mail address to which reports will be sent. By default, reports are sent to root on the local machine.

-u instructs arpwatch to drop root privileges and change the UID to username and GID to the primary group of username. This is recommended for security reasons, but username has to have write access to the default directory.

Note that an empty arp.dat file must be created before the first time you run arpwatch.

 

REPORT MESSAGES

Here's a quick list of some of the report messages generated by arpwatch(1) (and arpsnmp(1)):
new activity
This ethernet/ip address pair has been used for the first time six months or more.
new station
The ethernet address has not been seen before.
reused old mac
The ethernet address has changed from the most recently seen address to the third (or greater) least recently seen address. (This is similar to a flip flop.)
changed mac
The host switched to a new ethernet address.
dec flip flop
The ethernet address has changed from the most recently seen address to the second most recently seen address. (If either the old or new ethernet address is a DECnet address and it is less than 24 hours, the email version of the report is suppressed.)
bogon
The source ip address is not local to the local subnet.
ether broadcast
The mac ethernet address of the host is a broadcast address.
ether mismatch
The source mac ethernet address didn't match the address inside the arp packet.
ether too short
The ARP packet is corrupted and too short.
suppressed DECnet flip flop
A "flip flop" report was suppressed because one of the two addresses was a DECnet address.

 

FILES

/usr/operator/arpwatch - default directory
arp.dat - ethernet/ip address database
ethercodes.dat - vendor ethernet block list

 

SEE ALSO

arpsnmp(8), arp(8), bpf(4), tcpdump(1), pcapture(1), tcpdump(8), pcap(3)

 

AUTHORS

arpwatch NG was forked by Freek and is based upon the original arpwatch 2.1a13 and works of:

Craig Leres of the Lawrence Berkeley National Laboratory Network Research Group, University of California, Berkeley, CA.

The old arpwatch is available via anonymous ftp:

ftp://ftp.ee.lbl.gov/arpwatch.tar.gz

Numerous Debian vendor patches were merged, thanks to Peter Kelemen

arpwatch NG versions are announced at:

http://freshmeat.net/projects/arpwatch-ng

 

BUGS

Attempts are made to suppress DECnet flip flops but they aren't always successful.

Most error messages are posted using syslog.

 

Index

NAME
SYNOPSIS
DESCRIPTION
REPORT MESSAGES
FILES
SEE ALSO
AUTHORS
BUGS