arpwatch question

Hi there,
I want to monitor the MAC to IPs from a different subnet then the current
LAN where arpwatch is running. How should I use arpwatch for this task?
Thanks a lot, Calin

Tester wrote:

> Hi there,
> I want to monitor the MAC to IPs from a different subnet then the current
> LAN where arpwatch is running. How should I use arpwatch for this task?
> Thanks a lot, Calin

Set up an alias on the alternative subnet
eg:

ifconfig eth0 192.168.0.1
ifconfig eth0:0 10.0.0.1

Tester <(E-Mail Removed)> wrote:
> Hi there,
> I want to monitor the MAC to IPs from a different subnet then the current
> LAN where arpwatch is running. How should I use arpwatch for this task?
> Thanks a lot, Calin

I don't know about arpwatch, but I usually use the following which is
run every minute from cron. Actually, you could make this every few
minutes.

* * * * * ${HOME}/bin/arpmap.sh


arpmap.sh contains the following (comments stripped)

mapfile=${HOME}/arpmap.txt
export PATH=/sbin:/usr/sbin:/bin:/usr/bin
arpargs="-n -H ether -i eth1" # CHANGE ME
arp $arpargs | fgrep -v "(incomplete)" | awk 'NR > 1 {print $3,$1}' \
>> $mapfile
cat $mapfile | sort | uniq > $mapfile.new
mv $mapfile.new $mapfile

This is useful for finding IP clashes, and for Wake-on-LAN. Also DHCP
administration, to a lesser extent.

--
Cameron Kerr
(E-Mail Removed) : http://nzgeeks.org/cameron/
Empowered by Perl!

Hi Fred,
The other subnet is remote(10.1.1.0), through a router. My subnet let
us say is 192.168.0.0
Can I do the below what you said:
ifconfig eth0 192.168.0.1
ifconfig eth0:0 10.1.1.2
I have not too much experience with ifconfig.
Thank you very much, Calin

"Fred Emmott" <(E-Mail Removed)> wrote in message
news:c08bo8$ac$(E-Mail Removed)...
> Tester wrote:
>
> > Hi there,
> > I want to monitor the MAC to IPs from a different subnet then the
current
> > LAN where arpwatch is running. How should I use arpwatch for this task?
> > Thanks a lot, Calin
>
> Set up an alias on the alternative subnet
> eg:
>
> ifconfig eth0 192.168.0.1
> ifconfig eth0:0 10.0.0.1

"Tester" <(E-Mail Removed)> wrote in message news:<Rb6Wb.17106$(E-Mail Removed)>...
> Hi Fred,
> The other subnet is remote(10.1.1.0), through a router. My subnet let
> us say is 192.168.0.0
> Can I do the below what you said:
> ifconfig eth0 192.168.0.1
> ifconfig eth0:0 10.1.1.2
> I have not too much experience with ifconfig.
> Thank you very much, Calin
>
> "Fred Emmott" <(E-Mail Removed)> wrote in message
> news:c08bo8$ac$(E-Mail Removed)...
> > Tester wrote:
> >
> > > Hi there,
> > > I want to monitor the MAC to IPs from a different subnet then the
> current
> > > LAN where arpwatch is running. How should I use arpwatch for this task?
> > > Thanks a lot, Calin
> >
> > Set up an alias on the alternative subnet
> > eg:
> >
> > ifconfig eth0 192.168.0.1
> > ifconfig eth0:0 10.0.0.1

You may need to use the -n flag also. Man arpwatch.

Not only is it remote, but it is private! So is yours! And on a
different network! Doing this on someone else's network is _not_ a
friendly thing. If it _is_ your net, you shouldn't need an alias,
since if traffic is not directed to or coming from the alias IP, no
one will generate arps for the alias IP anyway. Just set up arpwatch
at the appropriate places -- or use a better tool.

man arpwatch
DESCRIPTION
Arpwatch keeps track for ethernet/ip address pairings. It
syslogs
activity and reports certain changes via email. Arpwatch uses
pcap(3)
to listen for arp packets on a _local_ethernet_interface_.

This is a kind of specialized network _sniffing_ and admins/ISPs take
a dim view when practised without authorization -- especially on a
remote network. It can be a part of a man-in-the-middle attack so far
as those (or the IDS) monitoring the net. You would have to
install/use the software _on_ the remote net and forward results back
to you.

There are other ways to do this remotely. If they were practised on a
net I was monitoring, it would get you in _very_deep_doo really fast!
If you're wanting to learn, find another, accepted, and authorized way
of going about it. Some schools keep a special lab just for this kind
of stuff. Or use your own lan.

Be careful out there,
prg
email above disabled

Hi P,
Thanks a lot, it is our network, different remote subnet and they have
sometimes duplicate IPs and asked me to look into it. You are right, I
should set up something locally on the remote LAN and forward results to me
since even if I set up an alias on my eth0 it will not work since my machine
is not a gateway. What uses does aliasing your ethernet card with more IPs
have, do you know? Thanks,Calin

"P Gentry" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> "Tester" <(E-Mail Removed)> wrote in message
news:<Rb6Wb.17106$(E-Mail Removed)>...
> > Hi Fred,
> > The other subnet is remote(10.1.1.0), through a router. My subnet
let
> > us say is 192.168.0.0
> > Can I do the below what you said:
> > ifconfig eth0 192.168.0.1
> > ifconfig eth0:0 10.1.1.2
> > I have not too much experience with ifconfig.
> > Thank you very much, Calin
> >
> > "Fred Emmott" <(E-Mail Removed)> wrote in message
> > news:c08bo8$ac$(E-Mail Removed)...
> > > Tester wrote:
> > >
> > > > Hi there,
> > > > I want to monitor the MAC to IPs from a different subnet then the
> > current
> > > > LAN where arpwatch is running. How should I use arpwatch for this
task?
> > > > Thanks a lot, Calin
> > >
> > > Set up an alias on the alternative subnet
> > > eg:
> > >
> > > ifconfig eth0 192.168.0.1
> > > ifconfig eth0:0 10.0.0.1
>
> You may need to use the -n flag also. Man arpwatch.
>
> Not only is it remote, but it is private! So is yours! And on a
> different network! Doing this on someone else's network is _not_ a

Tester <(E-Mail Removed)> wrote:

> What uses does aliasing your ethernet card with more IPs have, do you
> know? Thanks,Calin

The usual case for this is with webservers that offer virtual webservers
based on IP. That is to say, the website you get depends on the IP that
you (the client) connect to.

--
Cameron Kerr
(E-Mail Removed) : http://nzgeeks.org/cameron/
Empowered by Perl!