arpwatch

[mfaridi]

I use FreeBSD 7 in my office and we are 20 person in here , sometimes other user change their IP and set my IP , for use , How I can understand someone in network set my IP and use it , I find arpwatch and install it from port , but I do not know how I must config it and how this package make log for me and I see who set my IP.

Can I find another tools like arpwatch for see arp and conflict IPs???

 

[Ole]

put

arpwatch_enable="YES"

to /etc/rc.conf

set root (default recipient in arpwatch) mailbox to yours e-mail:

root: <yours@email.com>

in /etc/mail/aliases

rebuilds sendmail db files

cd /etc/mail
make
make restart

starts arpwatch

sh /usr/local/etc/rc.d/arpwatch start

and go watching to mail reader. IP who has conflicting marked as flip-flop action

 

[mfaridi]

when I type

 /usr/local/etc/rc.d/arpwatch start

I see this message

meuh

what is this ???
can I find another package like this ??

 

[Ole]

insert into /etc/rc.conf one else records:

arpwatch_interfaces="<if>"

where <if> - is name of you Intranet inetface, for example

arpwatch_interfaces="xl0"

 

[Ole]

can I find another package like this ??

of course you can:

cd /usr/ports/
make search key="arp" |grep Info: |grep "ARP" |grep ^Info

or search by http://www.freebsd.org/ports/net-mgmt.html

 

[mfaridi]

thanks
Can arpwatch make log for me ?? and I do have to change mail/alias

 

[Ole]

yeah, man arpwatch(8) say:

DESCRIPTION
Arpwatch keeps track for ethernet/ip address pairings. It syslogs
activity and reports certain changes via email.

you can setup syslog.conf for example like

!arpwatch
*.* /var/log/arpwatch.log

or sort messages by other method

 

[mfaridi]

How I can restart syslog.conf for make effect for log arpwatch

 

[Ole]

killall -1 syslogd or

/etc/rc.d/syslogd restart

 

[mfaridi]

I have two interface re0 and vr0 , can arpwatch monitor two Lan Card ?

 

[Ole]

imho (i can't check this now) must be work (in /etc/rc.conf)

arpwatch_interfaces="re0 vr0"

 

[mfaridi]

When I type

tail -f /var/log/arpwatch.log

I see this message

Dec 12 18:26:59 Mostafa arpwatch: new station 192.168.0.42 0:b0:64:e:61:a9
Dec 12 18:32:17 Mostafa arpwatch: new station 192.168.0.55 0:b0:64:e:61:a9
Dec 12 18:32:17 Mostafa arpwatch: new station 192.168.0.53 0:b0:64:e:61:a9
Dec 12 21:05:29 Mostafa arpwatch: new station 192.168.0.45 0:b0:64:e:61:a9
Dec 12 21:05:30 Mostafa arpwatch: new station 192.168.0.25 0:b0:64:e:61:a9
Dec 12 21:14:56 Mostafa arpwatch: new station 192.168.0.85 0:b0:64:e:61:a9
Dec 12 21:14:56 Mostafa arpwatch: new station 192.168.0.21 0:b0:64:e:61:a9
Dec 13 01:43:59 Mostafa arpwatch: new station 192.168.0.11 0:b0:64:e:61:a9
Dec 13 01:43:59 Mostafa arpwatch: new station 192.168.0.77 0:b0:64:e:61:a9
Dec 13 10:54:19 Mostafa arpwatch: listening on re0

what is mean of this log ??
someone try set my IP .

 

[DutchDaemon]

You have a PC or server with MAC address 0:b0:64:e:61:a9, and it's acquiring a new IP address nine times in a row. You appear to have no other PCs or servers on your network. On a DHCP server, you should see something like this:

Dec 11 15:27:51 dhcp arpwatch: new station 192.168.0.156 0:11:25:b4:61:10
Dec 11 15:27:51 dhcp arpwatch: new station 192.168.0.1 0:14:38:4f:ea:29
Dec 11 15:28:39 dhcp arpwatch: new station 192.168.0.201 0:16:3e:10:1:1
Dec 11 15:28:44 dhcp arpwatch: new station 192.168.0.177 0:1f:29:7d:71:64
Dec 11 15:29:02 dhcp arpwatch: new station 192.168.0.187 0:9:6b:c5:79:f
Dec 11 15:30:58 dhcp arpwatch: new station 192.168.0.202 0:16:3e:10:2:1
Dec 11 15:36:00 dhcp arpwatch: new station 192.168.0.205 0:16:3e:10:5:1
Dec 11 15:36:31 dhcp arpwatch: new station 192.168.0.171 0:9:6b:11:93:db
Dec 11 15:40:26 dhcp arpwatch: new station 192.168.0.176 0:1f:29:7d:61:2c
Dec 11 15:42:38 dhcp arpwatch: new station 192.168.0.179 0:1f:29:d8:5b:a4
Dec 11 15:52:49 dhcp arpwatch: new station 192.168.0.166 0:1f:29:7d:61:b6
Dec 11 16:58:19 dhcp arpwatch: new station 192.168.0.254 0:11:85:81:de:9c
Dec 12 04:53:36 dhcp arpwatch: new station 192.168.0.252 0:13:21:b0:3c:74
Dec 12 14:28:45 dhcp arpwatch: new station 192.168.0.199 0:1f:29:7d:71:64
Dec 12 14:31:11 dhcp arpwatch: new station 192.168.0.172 0:11:25:b4:4c:e
Dec 12 14:33:33 dhcp arpwatch: new station 192.168.0.165 0:1f:29:7d:61:b6
Dec 12 15:15:29 dhcp arpwatch: new station 192.168.0.174 0:1f:29:7d:61:2c

 

[mfaridi]

So I understand one system in here try get new IP , and this system do not set my IP ??
Is this true ???

 

[DutchDaemon]

Find out which system that MAC address belongs to. That will probably answer some questions.

 

[lbl]

The Shell script way.

Another way to monitor it, involving switches.

Add one of these lines to crontab and let it run fairly offen.

fetch list from bsd box:
arp -a | awk '{ print $2,$4 }' | sed 's/(//' | sed 's/)//' | while read list ; do grep "$list" /root/allowed-mac-ip || echo "Unallowed $list" | mail -s "unallowed box $list" email@localdomain ; done

fetch list from snmp enabled switch:
snmpwalk -Cc -v2c -c public switch.localdomain ipNetToMediaPhysAddress | /usr/bin/sed 's/.*ss\.[0-9]*\.//' | awk '{ print $1,$4}' | while read list ; do grep "$list" /root/allowed-mac-ip || echo "Unallowed $list" | mail -s "unallowed box $list" email@localdomain ; done

Run the line one time and add the lines you get in the first mails in the /root/allowed-mac-ips file.

file: allowed-mac-ips
10.20.5.112 0:16:ea:a3:28:54
10.20.5.50 0:1b:21:21:41:66
10.20.5.1 0:18:8d:5:3d:c1
10.20.5.250 0:c:6e:1:e8:8f
10.20.5.100 0:16:d3:c8:2e:92
10.20.5.106 0:e:9b:53:3c:e
10.20.5.103 0:e:2e:ef:6d:ea
10.20.5.104 0:13:e8:72:f8:8f

/lbl

Keep it simple.