Lookup of addresses in arpwatch's e-mail notifications?

Discussion in 'Linux Networking' started by Ant, Aug 2, 2015.

  1. Ant

    Ant Guest

    Hello.

    Is there a way to look up each address like MAC and IP addresses, so I
    know whose device/host it is? I am currently using Debian oldstable.

    Thank you in advance. :)
    --
    Quote of the Week: "We're all ants. I'm a glittery little ant." --Alanis Morissette
    Note: A fixed width font (Courier, Monospace, etc.) is required to see this signature correctly.
    /\___/\ Ant(Dude) @ http://antfarm.home.dhs.org (Personal Web Site)
    / /\ /\ \ Ant's Quality Foraged Links: http://aqfl.net
    | |o o| |
    \ _ / Please nuke ANT if replying by e-mail privately. If credit-
    ( ) ing, then please kindly use Ant nickname and AQFL URL/link.
     
    Ant, Aug 2, 2015
    #1
    1. Advertisements

  2. Ant

    Anonymous Guest

    "arp -n"?
    --
     
    Anonymous, Aug 3, 2015
    #2
    1. Advertisements

  3. Ant

    Moe Trin Guest

    On Sun, 02 Aug 2015, in the Usenet newsgroup comp.os.linux.networking, in
    [euclid ~]$ grep 57:1E:48 /etc/ethers
    enterprise.phx.az.us 00:C0:D1:57:1E:48
    [euclid ~]$ /sbin/arp -a
    enterprise.phx.az.us (192.168.1.119) at 00:C0:D1:57:1E:48 [ether] on eth0
    [euclid ~]$

    but /etc/ethers assumes the network admin isn't using the microsoft
    crutch called 'BOOTP' (RFC0951) or 'DHCP' (RFC2131) because they're too
    st00pid to set up static addressing configurations. (/etc/ethers is a
    manually set-up file - man 5 ethers) If that's not the case you might
    look at the lease files on the DHCP server, or try

    [euclid ~]$ whatis arping
    arping (8) - sends arp and/or ip pings to a given host
    [euclid ~]$

    Back in the mid-1990s, to catch tourists who grabbed an IP out of their
    a$$ to avoid registering their hosts (and being charged a monthly
    maintenance fee), we used to run a PERL script every minute that grabbed
    the arp caches from file servers (man 5 arp) and routers on our network,
    and looked for hosts not in /etc/ethers.

    If you're trying to ID the hardware, perhaps you want the OUI file from
    http://standards.ieee.org/regauth/oui/oui.txt:

    -rw-r--r-- 1 root root 1102228 Jul 15 18:03 /usr/doc/misc/MACaddresses.gz

    which allows (if you know shell scripting) something like

    [euclid ~]$ etherwhois 00:20:af
    00-20-AF (hex) 3COM CORPORATION
    0020AF (base 16) 3COM CORPORATION
    5400 BAYFRONT PLAZA
    SANTA CLARA CA 95052
    UNITED STATES
    [euclid ~]$

    (etherwhois is a simple 'grep' on steroids to handle the variable length
    of the records).

    But the real question is "what are you actually looking for?"

    Old guy
     
    Moe Trin, Aug 3, 2015
    #3
  4. Ant

    Jorgen Grahn Guest

    You're talking about the arpwatch utility which sends a mail when a
    new computer shows up in a LAN.

    But it already does what you want! It resolves both IP addresses and
    MAC addresses, whenever possible. It's the "hostname" and "ethernet
    vendor" headlines.

    /Jorgen
     
    Jorgen Grahn, Aug 3, 2015
    #4
  5. Or "arp -a" (run as root).

    Regards, Dave Hodgins
     
    David W. Hodgins, Aug 3, 2015
    #5
  6. Ant

    Ant Guest

    No, they don't show me what brand, models, and names those devices are.
    Here's an example:

    $ sudo arp -n
    Address HWtype HWaddress Flags Mask
    Iface
    192.168.1.1 ether 84:1b:5e:da:d6:a3 C
    eth0
    192.168.1.15 ether 96:10:3e:a3:5a:f4 C
    eth0
    ....
    --
    "I used to own an ant farm but had to give it up. I couldn't find
    tractors small enough to fit it." --Steven Wright
    Note: A fixed width font (Courier, Monospace, etc.) is required to see
    this signature correctly.
    /\___/\ Ant(Dude) @ http://antfarm.ma.cx (Personal Web Site)
    / /\ /\ \ Ant's Quality Foraged Links: http://aqfl.net
    | |o o| |
    \ _ / If crediting, then use Ant nickname and AQFL URL/link.
    ( ) Chop ANT from its address if e-mailing privately.
    Ant is currently not listening to any songs on this computer.
     
    Ant, Aug 6, 2015
    #6
  7. Ant

    Ant Guest

    Is there a way to look up each address like MAC and IP addresses, so I
    Hmm. I don't get those hostnames and ethernet vendors though.
    --
    "... Our latest evil plan and create an army of giant ants to take over
    the galaxy..." --Dark Helmet from Spaceballs: The Animated Series (S1 E3).
    Note: A fixed width font (Courier, Monospace, etc.) is required to see
    this signature correctly.
    /\___/\ Ant(Dude) @ http://antfarm.ma.cx (Personal Web Site)
    / /\ /\ \ Ant's Quality Foraged Links: http://aqfl.net
    | |o o| |
    \ _ / If crediting, then use Ant nickname and AQFL URL/link.
    ( ) Chop ANT from its address if e-mailing privately.
    Ant is currently not listening to any songs on this computer.
     
    Ant, Aug 6, 2015
    #7


  8. arp-scan -l -g --interface=eth0

    netdiscover -i eth0 -r 192.168.1.0/24
     
    Kirk_Von_Rockstein, Aug 6, 2015
    #8
  9. Ant

    Jorgen Grahn Guest

    But do you get the headlines?

    I'm not that surprised that the IP address isn't resolved, because
    IPv4 addresses on a LAN tend to be private like 192.168/16, and you
    won't find those in DNS. If you haven't written them down in
    /etc/hosts, the address--name mapping is just in your head.

    For the MAC address, I don't know ... there is a vendor database
    somewhere, but I don't know how common it is for NICs not to be listed
    there. My latest computer[0] was listed anyway:

    hostname: <unknown>
    ip address: 169.254.171.130
    interface: eth0
    ethernet address: 00:30:05:d0:c5:24
    ethernet vendor: Fujitsu Siemens Computers
    timestamp: Wednesday, June 3, 2015 21:09:33 +0200

    But my BeagleBone Black wasn't.

    /Jorgen

    [0] Fujitsu-Siemens Esprimo something. Nice little desktop. Bought
    second-hand: the brand is now obsolete, as I understand it.
     
    Jorgen Grahn, Aug 7, 2015
    #9
  10. Ant

    Rick Jones Guest

    Are you referring to the likes of:

    http://standards-oui.ieee.org/oui.txt ?

    rick jones
     
    Rick Jones, Aug 7, 2015
    #10
  11. Ant

    Jorgen Grahn Guest

    Kind of. I was a bit vague ... I was really wondering if the
    MAC->vendor mapping is hardcoded in applications like arpwatch and
    tcpdump, or if a typical Linux system keeps a file, much like
    /etc/services.

    And wondering what conclusions one can draw when an application like
    arpwatch fails to find a vendor.

    /Jorgen
     
    Jorgen Grahn, Aug 8, 2015
    #11
  12. Ant

    Ant Guest

    Is there a way to look up each address like MAC and IP addresses, so I
    $ sudo arp-scan -l -g --interface=eth0
    [sudo] password for ant:
    Interface: eth0, datalink type: EN10MB (Ethernet)
    Starting arp-scan 1.8.1 with 256 hosts
    (http://www.nta-monitor.com/tools/arp-scan/)
    192.168.1.1 84:1b:5e:da:d6:a3 (Unknown)
    192.168.1.9 96:10:3e:a3:5a:f4 (Unknown)
    192.168.1.10 96:10:3e:a3:5a:f8 (Unknown)
    192.168.1.15 00:1f:bc:01:b9:db EVGA Corporation

    11 packets received by filter, 0 packets dropped by kernel
    Ending arp-scan 1.8.1: 256 hosts scanned in 1.465 seconds (174.74
    hosts/sec). 9 responded

    $ sudo netdiscover -i eth0 -r 192.168.1.0/24
    Currently scanning: Finished! | Screen View: Unique Hosts

    16 Captured ARP Req/Rep packets, from 4 hosts. Total size: 960

    _____________________________________________________________________________
    IP At MAC Address Count Len MAC Vendor

    -----------------------------------------------------------------------------
    192.168.1.1 84:1b:5e:da:d6:a3 01 060 Unknown vendor
    192.168.1.9 96:10:3e:a3:5a:f4 01 060 Unknown vendor
    192.168.1.10 96:10:3e:a3:5a:f8 01 060 Unknown vendor
    192.168.1.15 00:1f:bc:01:b9:db 01 060 EVGA Corporation


    Both cannot determine the MAC addresses of my router and other networked
    devices? :(
    --
    "We are anthill men upon an anthill world." --Ray Bradbury
    Note: A fixed width font (Courier, Monospace, etc.) is required to see
    this signature correctly.
    /\___/\ Ant(Dude) @ http://antfarm.ma.cx (Personal Web Site)
    / /\ /\ \ Ant's Quality Foraged Links: http://aqfl.net
    | |o o| |
    \ _ / If crediting, then use Ant nickname and AQFL URL/link.
    ( ) Chop ANT from its address if e-mailing privately.
    Ant is currently not listening to any songs on this computer.
     
    Ant, Aug 9, 2015
    #12
  13. Ant

    Ant Guest

    Here is what mail command shows me:
    $ mail
    Mail version 8.1.2 01/15/2001. Type ? for help.
    "/var/mail/user": 2 messages
    (192.168.1.10) eth0
    2 arpwatch@MyBox Sat Aug 08 20:57 28/918 flip flop
    (192.168.1.9) eth0
    & 1
    Message 1:
    From arpwatch@MyBox Sat Aug 08 20:57:24 2015
    Envelope-to: root@MyBox
    Delivery-date: Sat, 08 Aug 2015 20:57:24 -0700
    From: arpwatch@MyBox (Arpwatch MyBox)
    To: root@MyBox
    Subject: flip flop (192.168.1.10) eth0
    Date: Sat, 08 Aug 2015 20:57:24 -0700
    Content-Length: 394
    Lines: 10

    hostname: <unknown>
    ip address: 192.168.1.10
    interface: eth0
    ethernet address: 96:10:3e:a3:5a:f4
    ethernet vendor: <unknown>
    old ethernet address: 96:10:3e:a3:5a:f8
    old ethernet vendor: <unknown>
    timestamp: Saturday, August 8, 2015 20:57:24 -0700
    previous timestamp: Saturday, August 8, 2015 20:51:48 -0700
    delta: 5 minutes


    Yeah, I understand this. /etc/hosts has that static addresses' information.

    169 address? :/
    --
    "None preaches better than the ant, and she says nothing." --Ben Franklin
    Note: A fixed width font (Courier, Monospace, etc.) is required to see
    this signature correctly.
    /\___/\ Ant(Dude) @ http://antfarm.ma.cx (Personal Web Site)
    / /\ /\ \ Ant's Quality Foraged Links: http://aqfl.net
    | |o o| |
    \ _ / If crediting, then use Ant nickname and AQFL URL/link.
    ( ) Chop ANT from its address if e-mailing privately.
    Ant is currently not listening to any songs on this computer.
     
    Ant, Aug 9, 2015
    #13
  14. Ant

    Ant Guest

    Hmm, slow download:

    $ wget http://standards-oui.ieee.org/oui.txt
    --2015-08-08 21:03:13-- http://standards-oui.ieee.org/oui.txt
    Resolving standards-oui.ieee.org (standards-oui.ieee.org)... 140.98.193.27
    Connecting to standards-oui.ieee.org
    (standards-oui.ieee.org)|140.98.193.27|:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 3546124 (3.4M) [text/plain]
    Saving to: `oui.txt'

    0% [ ]
    15,643 1.78K/s eta 32m 15s

    :(
    --
    "An ant is a wise creature for itself, but it is a shrewd thing in an
    orchard or garden." --Francis Bacon
    Note: A fixed width font (Courier, Monospace, etc.) is required to see
    this signature correctly.
    /\___/\ Ant(Dude) @ http://antfarm.ma.cx (Personal Web Site)
    / /\ /\ \ Ant's Quality Foraged Links: http://aqfl.net
    | |o o| |
    \ _ / If crediting, then use Ant nickname and AQFL URL/link.
    ( ) Chop ANT from its address if e-mailing privately.
    Ant is currently not listening to any songs on this computer.
     
    Ant, Aug 9, 2015
    #14
  15. Ant

    Ant Guest

    For the MAC address, I don't know ... there is a vendor database
    That is what I would like to see.
    --
    "It doesn't matter what your D&D manual says, you did not get 5
    experience points for killing the giant ant in your kitchen." --BBspot's
    Geek Horoscopes (7/30/2004)
    Note: A fixed width font (Courier, Monospace, etc.) is required to see
    this signature correctly.
    /\___/\ Ant(Dude) @ http://antfarm.ma.cx (Personal Web Site)
    / /\ /\ \ Ant's Quality Foraged Links: http://aqfl.net
    | |o o| |
    \ _ / If crediting, then use Ant nickname and AQFL URL/link.
    ( ) Chop ANT from its address if e-mailing privately.
    Ant is currently not listening to any songs on this computer.
     
    Ant, Aug 9, 2015
    #15
  16. Ant

    Jorgen Grahn Guest

    Interesting. If we look in oui.txt which Rick Jones provided

    00-1F-BC EVGA Corporation
    84-1B-5E NETGEAR

    So there's a Netgear device there which your applications didn't know
    about, and another mystery device which isn't even in oui.txt.
    Perhaps 96-10-3e is reserved for experimental use; I'm too lazy to
    find out.

    Netgear has 43 different entries in oui.txt, by the way.

    /Jorgen
     
    Jorgen Grahn, Aug 9, 2015
    #16
  17. Ant

    Tauno Voipio Guest

    169.154.x.y is a link local address. It is picked up by the system
    if there are no other ways to get an IP address.

    For more information, Google for zeroconf.
     
    Tauno Voipio, Aug 9, 2015
    #17
  18. Ant

    Jorgen Grahn Guest

    Funny; I never encountered that range before; thanks.

    I never paid much attention to the address above ... when that host
    showed up in my network, it was briefly running Windows 7, and I
    didn't know or care how its networking was set up.

    I don't have DHCP in my network ... IPv4 addresses are assigned
    manually. For IPv6 I use radvd though.

    /Jorgen
     
    Jorgen Grahn, Aug 9, 2015
    #18
  19. Ant

    Tauno Voipio Guest

    Correction for the misprint: the address range is 169.254.x.y.
     
    Tauno Voipio, Aug 9, 2015
    #19
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.