I use FreeBSD 7 in my office and we are 20 person in here , sometimes other user change their IP and set my IP , for use , How I can understand someone in network set my IP and use it , I find arpwatch and install it from port , but I do not know how I must config it and how this package make log for me and I see who set my IP.

Can I find another tools like arpwatch for see arp and conflict IPs???

put

arpwatch_enable="YES"

to /etc/rc.conf

set root (default recipient in arpwatch) mailbox to yours e-mail:

root: <yours@email.com>

in /etc/mail/aliases

rebuilds sendmail db files

cd /etc/mail
make
make restart


starts arpwatch

sh /usr/local/etc/rc.d/arpwatch start


and go watching to mail reader. IP who has conflicting marked as flip-flop action

when I type

/usr/local/etc/rc.d/arpwatch start
I see this message

meuh


what is this ???
can I find another package like this ??

insert into /etc/rc.conf one else records:

arpwatch_interfaces="<if>"


where <if> - is name of you Intranet inetface, for example

arpwatch_interfaces="xl0"

can I find another package like this ??
of course you can:

cd /usr/ports/
make search key="arp" |grep Info: |grep "ARP" |grep ^Info

or search by http://www.freebsd.org/ports/net-mgmt.html

thanks
Can arpwatch make log for me ?? and I do have to change mail/alias

yeah, man arpwatch(8) say:

DESCRIPTION
Arpwatch keeps track for ethernet/ip address pairings. It syslogs
activity and reports certain changes via email.


you can setup syslog.conf for example like

!arpwatch
*.* /var/log/arpwatch.log


or sort messages by other method

How I can restart syslog.conf for make effect for log arpwatch

killall -1 syslogd or

/etc/rc.d/syslogd restart

I have two interface re0 and vr0 , can arpwatch monitor two Lan Card ?

imho (i can't check this now) must be work (in /etc/rc.conf)


arpwatch_interfaces="re0 vr0"

When I type
tail -f /var/log/arpwatch.log

I see this message

Dec 12 18:26:59 Mostafa arpwatch: new station 192.168.0.42 0:b0:64:e:61:a9
Dec 12 18:32:17 Mostafa arpwatch: new station 192.168.0.55 0:b0:64:e:61:a9
Dec 12 18:32:17 Mostafa arpwatch: new station 192.168.0.53 0:b0:64:e:61:a9
Dec 12 21:05:29 Mostafa arpwatch: new station 192.168.0.45 0:b0:64:e:61:a9
Dec 12 21:05:30 Mostafa arpwatch: new station 192.168.0.25 0:b0:64:e:61:a9
Dec 12 21:14:56 Mostafa arpwatch: new station 192.168.0.85 0:b0:64:e:61:a9
Dec 12 21:14:56 Mostafa arpwatch: new station 192.168.0.21 0:b0:64:e:61:a9
Dec 13 01:43:59 Mostafa arpwatch: new station 192.168.0.11 0:b0:64:e:61:a9
Dec 13 01:43:59 Mostafa arpwatch: new station 192.168.0.77 0:b0:64:e:61:a9
Dec 13 10:54:19 Mostafa arpwatch: listening on re0


what is mean of this log ??
someone try set my IP .

You have a PC or server with MAC address 0:b0:64:e:61:a9, and it's acquiring a new IP address nine times in a row. You appear to have no other PCs or servers on your network. On a DHCP server, you should see something like this:

Dec 11 15:27:51 dhcp arpwatch: new station 192.168.0.156 0:11:25:b4:61:10
Dec 11 15:27:51 dhcp arpwatch: new station 192.168.0.1 0:14:38:4f:ea:29
Dec 11 15:28:39 dhcp arpwatch: new station 192.168.0.201 0:16:3e:10:1:1
Dec 11 15:28:44 dhcp arpwatch: new station 192.168.0.177 0:1f:29:7d:71:64
Dec 11 15:29:02 dhcp arpwatch: new station 192.168.0.187 0:9:6b:c5:79:f
Dec 11 15:30:58 dhcp arpwatch: new station 192.168.0.202 0:16:3e:10:2:1
Dec 11 15:36:00 dhcp arpwatch: new station 192.168.0.205 0:16:3e:10:5:1
Dec 11 15:36:31 dhcp arpwatch: new station 192.168.0.171 0:9:6b:11:93:db
Dec 11 15:40:26 dhcp arpwatch: new station 192.168.0.176 0:1f:29:7d:61:2c
Dec 11 15:42:38 dhcp arpwatch: new station 192.168.0.179 0:1f:29:d8:5b:a4
Dec 11 15:52:49 dhcp arpwatch: new station 192.168.0.166 0:1f:29:7d:61:b6
Dec 11 16:58:19 dhcp arpwatch: new station 192.168.0.254 0:11:85:81:de:9c
Dec 12 04:53:36 dhcp arpwatch: new station 192.168.0.252 0:13:21:b0:3c:74
Dec 12 14:28:45 dhcp arpwatch: new station 192.168.0.199 0:1f:29:7d:71:64
Dec 12 14:31:11 dhcp arpwatch: new station 192.168.0.172 0:11:25:b4:4c:e
Dec 12 14:33:33 dhcp arpwatch: new station 192.168.0.165 0:1f:29:7d:61:b6
Dec 12 15:15:29 dhcp arpwatch: new station 192.168.0.174 0:1f:29:7d:61:2c

So I understand one system in here try get new IP , and this system do not set my IP ??
Is this true ???

Find out which system that MAC address belongs to. That will probably answer some questions.

Another way to monitor it, involving switches.

Add one of these lines to crontab and let it run fairly offen.

fetch list from bsd box:
arp -a | awk '{ print $2,$4 }' | sed 's/(//' | sed 's/)//' | while read list ; do grep "$list" /root/allowed-mac-ip || echo "Unallowed $list" | mail -s "unallowed box $list" email@localdomain ; done

fetch list from snmp enabled switch:
snmpwalk -Cc -v2c -c public switch.localdomain ipNetToMediaPhysAddress | /usr/bin/sed 's/.*ss\.[0-9]*\.//' | awk '{ print $1,$4}' | while read list ; do grep "$list" /root/allowed-mac-ip || echo "Unallowed $list" | mail -s "unallowed box $list" email@localdomain ; done

Run the line one time and add the lines you get in the first mails in the /root/allowed-mac-ips file.

file: allowed-mac-ips
10.20.5.112 0:16:ea:a3:28:54
10.20.5.50 0:1b:21:21:41:66
10.20.5.1 0:18:8d:5:3d:c1
10.20.5.250 0:c:6e:1:e8:8f
10.20.5.100 0:16:d3:c8:2e:92
10.20.5.106 0:e:9b:53:3c:e
10.20.5.103 0:e:2e:ef:6d:ea
10.20.5.104 0:13:e8:72:f8:8f

/lbl

Keep it simple.