arpwatch question

Discussion in 'Linux Networking' started by Tester, Feb 9, 2004.

  1. Tester

    Tester Guest

    Hi there,
    I want to monitor the MAC to IPs from a different subnet then the current
    LAN where arpwatch is running. How should I use arpwatch for this task?
    Thanks a lot, Calin
     
    Tester, Feb 9, 2004
    #1
    1. Advertisements

  2. Tester

    Fred Emmott Guest

    Set up an alias on the alternative subnet
    eg:

    ifconfig eth0 192.168.0.1
    ifconfig eth0:0 10.0.0.1
     
    Fred Emmott, Feb 9, 2004
    #2
    1. Advertisements

  3. Tester

    Cameron Kerr Guest

    I don't know about arpwatch, but I usually use the following which is
    run every minute from cron. Actually, you could make this every few
    minutes.

    * * * * * ${HOME}/bin/arpmap.sh


    arpmap.sh contains the following (comments stripped)

    mapfile=${HOME}/arpmap.txt
    export PATH=/sbin:/usr/sbin:/bin:/usr/bin
    arpargs="-n -H ether -i eth1" # CHANGE ME
    arp $arpargs | fgrep -v "(incomplete)" | awk 'NR > 1 {print $3,$1}' \cat $mapfile | sort | uniq > $mapfile.new
    mv $mapfile.new $mapfile

    This is useful for finding IP clashes, and for Wake-on-LAN. Also DHCP
    administration, to a lesser extent.
     
    Cameron Kerr, Feb 9, 2004
    #3
  4. Tester

    Tester Guest

    Hi Fred,
    The other subnet is remote(10.1.1.0), through a router. My subnet let
    us say is 192.168.0.0
    Can I do the below what you said:
    ifconfig eth0 192.168.0.1
    ifconfig eth0:0 10.1.1.2
    I have not too much experience with ifconfig.
    Thank you very much, Calin
     
    Tester, Feb 10, 2004
    #4
  5. Tester

    P Gentry Guest

    You may need to use the -n flag also. Man arpwatch.

    Not only is it remote, but it is private! So is yours! And on a
    different network! Doing this on someone else's network is _not_ a
    friendly thing. If it _is_ your net, you shouldn't need an alias,
    since if traffic is not directed to or coming from the alias IP, no
    one will generate arps for the alias IP anyway. Just set up arpwatch
    at the appropriate places -- or use a better tool.

    man arpwatch
    DESCRIPTION
    Arpwatch keeps track for ethernet/ip address pairings. It
    syslogs
    activity and reports certain changes via email. Arpwatch uses
    pcap(3)
    to listen for arp packets on a _local_ethernet_interface_.

    This is a kind of specialized network _sniffing_ and admins/ISPs take
    a dim view when practised without authorization -- especially on a
    remote network. It can be a part of a man-in-the-middle attack so far
    as those (or the IDS) monitoring the net. You would have to
    install/use the software _on_ the remote net and forward results back
    to you.

    There are other ways to do this remotely. If they were practised on a
    net I was monitoring, it would get you in _very_deep_doo really fast!
    If you're wanting to learn, find another, accepted, and authorized way
    of going about it. Some schools keep a special lab just for this kind
    of stuff. Or use your own lan.

    Be careful out there,
    prg
    email above disabled
     
    P Gentry, Feb 10, 2004
    #5
  6. Tester

    Tester Guest

    Hi P,
    Thanks a lot, it is our network, different remote subnet and they have
    sometimes duplicate IPs and asked me to look into it. You are right, I
    should set up something locally on the remote LAN and forward results to me
    since even if I set up an alias on my eth0 it will not work since my machine
    is not a gateway. What uses does aliasing your ethernet card with more IPs
    have, do you know? Thanks,Calin
     
    Tester, Feb 11, 2004
    #6
  7. Tester

    Cameron Kerr Guest

    The usual case for this is with webservers that offer virtual webservers
    based on IP. That is to say, the website you get depends on the IP that
    you (the client) connect to.
     
    Cameron Kerr, Feb 12, 2004
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.