arpwatch multiple networks

I am running arpwatch on one BSD server monitoring 3 separate networks that are on the same wired network. I can look in my logfiles and see that arpwatch is working and collecting data for all 3 networks. My problem is all the of email notifications that i receive are only for the 10.6.99.0/24 private network. Any help would be appreciated. Thanks!

Here is the script that I run.

#!/bin/sh
#
/usr/local/sbin/arpwatch -N -n 206.15.68.0/24 -f /usr/local/arpwatch/arp.dat &
/usr/local/sbin/arpwatch -N -n 174.46.230.0/24 -f /usr/local/arpwatch/arp3.dat &
/usr/local/sbin/arpwatch -N -n 10.6.99.0/24 -f /usr/local/arpwatch/arp2.dat &
 
I'm not so sure this will work. I'm guessing the interface it listens on is on the 10.6.99.0/24 network?

Arpwatch only processes information collected from the same logical network that the interface it listens on participates in. This is true even if the LAN has been designed so that different subnets share the same physical wire for data transmission. Collecting data from multiple logical subnetworks requires the execution of separate instances of Arpwatch, one for each logical subnet, each tied to an autonomous network interface.
http://www.linuxjournal.com/article/3517
 
The adapter is bound to the 206 network and is alised with an IP address of the other 2 networks with a /24 subnet. In reading the article it stated multiple instances of arpwatch needed to run and the script I am running multiple instances of arpwatch. I can see where it has collected arp data for all three /24's in the arp.dat file.
 
dfisherkern said:
I can look in my logfiles and see that arpwatch is working and collecting data for all 3 networks. My problem is all the of email notifications that i receive are only for the 10.6.99.0/24 private network.

Are all three arpwatch instances logging events to /var/log/messages?
 
Well, how do you have your email notifications set up? Use the -e <shell_user_here> option. Then check that user's email, or forward it to your 'net address if needed.
 
dfisherkern said:
In reading the article it stated multiple instances of arpwatch needed to run and the script I am running multiple instances of arpwatch.
Yes, but it also states it needs an autonomous interface. I'll see if I can play around with it.


I can see where it has collected arp data for all three /24's in the arp.dat file.
That would indicate it's at least picking up the ARPs.
 
Back
Top