# arpwatch



## mfaridi (Dec 11, 2008)

I use FreeBSD 7 in my office and we are 20 person in here , sometimes other user change their IP and set my IP , for use , How I can understand someone in network set my IP and use it , I find arpwatch and install it from port , but I do not know how I must config it and how this package make log for me and I see who set my IP.

Can I find another tools like arpwatch for see arp and conflict IPs???


----------



## Ole (Dec 11, 2008)

put

```
arpwatch_enable="YES"
```
to /etc/rc.conf

set root (default recipient in arpwatch) mailbox to yours e-mail:

```
root: <yours@email.com>
```
in /etc/mail/aliases

rebuilds sendmail db files

```
cd /etc/mail
make
make restart
```

starts arpwatch

```
sh /usr/local/etc/rc.d/arpwatch start
```

and go watching to mail reader. IP who has conflicting marked as flip-flop action


----------



## mfaridi (Dec 11, 2008)

when I type 


```
/usr/local/etc/rc.d/arpwatch start
```
I see this message


```
meuh
```

what is this ???
can I find another package like this ??


----------



## Ole (Dec 11, 2008)

insert into /etc/rc.conf one else records:

```
arpwatch_interfaces="<if>"
```

where <if> - is name of you Intranet inetface, for example


> arpwatch_interfaces="xl0"


----------



## Ole (Dec 11, 2008)

mfaridi said:
			
		

> can I find another package like this ??


of course you can:

cd /usr/ports/
make search key="arp" |grep Info: |grep "ARP" |grep ^Info

or search by http://www.freebsd.org/ports/net-mgmt.html


----------



## mfaridi (Dec 11, 2008)

thanks 
Can arpwatch make log for me ?? and I do have to change mail/alias


----------



## Ole (Dec 11, 2008)

yeah, man arpwatch(8) say:


> DESCRIPTION
> Arpwatch  keeps  track  for  ethernet/ip  address  pairings. It syslogs
> activity and reports certain changes via email.



you can setup syslog.conf for example like


> !arpwatch
> *.*                  /var/log/arpwatch.log



or sort messages by other method


----------



## mfaridi (Dec 11, 2008)

How I can restart syslog.conf for make effect for log arpwatch


----------



## Ole (Dec 11, 2008)

killall -1 syslogd or


> /etc/rc.d/syslogd restart


----------



## mfaridi (Dec 11, 2008)

I have two interface re0 and vr0 , can arpwatch monitor two Lan Card ?


----------



## Ole (Dec 11, 2008)

imho (i can't check this now) must be work (in /etc/rc.conf)



> arpwatch_interfaces="re0 vr0"


----------



## mfaridi (Dec 13, 2008)

When I type 

```
tail -f /var/log/arpwatch.log
```

I see this message


```
Dec 12 18:26:59 Mostafa arpwatch: new station 192.168.0.42 0:b0:64:e:61:a9
Dec 12 18:32:17 Mostafa arpwatch: new station 192.168.0.55 0:b0:64:e:61:a9
Dec 12 18:32:17 Mostafa arpwatch: new station 192.168.0.53 0:b0:64:e:61:a9
Dec 12 21:05:29 Mostafa arpwatch: new station 192.168.0.45 0:b0:64:e:61:a9
Dec 12 21:05:30 Mostafa arpwatch: new station 192.168.0.25 0:b0:64:e:61:a9
Dec 12 21:14:56 Mostafa arpwatch: new station 192.168.0.85 0:b0:64:e:61:a9
Dec 12 21:14:56 Mostafa arpwatch: new station 192.168.0.21 0:b0:64:e:61:a9
Dec 13 01:43:59 Mostafa arpwatch: new station 192.168.0.11 0:b0:64:e:61:a9
Dec 13 01:43:59 Mostafa arpwatch: new station 192.168.0.77 0:b0:64:e:61:a9
Dec 13 10:54:19 Mostafa arpwatch: listening on re0
```

what is mean of this log ??
someone try set my IP .


----------



## DutchDaemon (Dec 13, 2008)

You have a PC or server with MAC address 0:b0:64:e:61:a9, and it's acquiring a new IP address nine times in a row. You appear to have no other PCs or servers on your network. On a DHCP server, you should see something like this:


```
Dec 11 15:27:51 dhcp arpwatch: new station 192.168.0.156 0:11:25:b4:61:10
Dec 11 15:27:51 dhcp arpwatch: new station 192.168.0.1 0:14:38:4f:ea:29
Dec 11 15:28:39 dhcp arpwatch: new station 192.168.0.201 0:16:3e:10:1:1
Dec 11 15:28:44 dhcp arpwatch: new station 192.168.0.177 0:1f:29:7d:71:64
Dec 11 15:29:02 dhcp arpwatch: new station 192.168.0.187 0:9:6b:c5:79:f
Dec 11 15:30:58 dhcp arpwatch: new station 192.168.0.202 0:16:3e:10:2:1
Dec 11 15:36:00 dhcp arpwatch: new station 192.168.0.205 0:16:3e:10:5:1
Dec 11 15:36:31 dhcp arpwatch: new station 192.168.0.171 0:9:6b:11:93:db
Dec 11 15:40:26 dhcp arpwatch: new station 192.168.0.176 0:1f:29:7d:61:2c
Dec 11 15:42:38 dhcp arpwatch: new station 192.168.0.179 0:1f:29:d8:5b:a4
Dec 11 15:52:49 dhcp arpwatch: new station 192.168.0.166 0:1f:29:7d:61:b6
Dec 11 16:58:19 dhcp arpwatch: new station 192.168.0.254 0:11:85:81:de:9c
Dec 12 04:53:36 dhcp arpwatch: new station 192.168.0.252 0:13:21:b0:3c:74
Dec 12 14:28:45 dhcp arpwatch: new station 192.168.0.199 0:1f:29:7d:71:64
Dec 12 14:31:11 dhcp arpwatch: new station 192.168.0.172 0:11:25:b4:4c:e
Dec 12 14:33:33 dhcp arpwatch: new station 192.168.0.165 0:1f:29:7d:61:b6
Dec 12 15:15:29 dhcp arpwatch: new station 192.168.0.174 0:1f:29:7d:61:2c
```


----------



## mfaridi (Dec 13, 2008)

So I understand one system in here try get new IP , and this system do not set my IP ??
Is this true ???


----------



## DutchDaemon (Dec 13, 2008)

Find out which system that MAC address belongs to. That will probably answer some questions.


----------



## lbl (Dec 20, 2008)

*The Shell script way.*

Another way to monitor it, involving switches.

Add one of these lines to crontab and let it run fairly offen.

fetch list from bsd box:
arp -a | awk '{ print $2,$4 }' | sed 's/(//' | sed 's/)//' | while read list ; do grep "$list" /root/allowed-mac-ip || echo "Unallowed $list" | mail -s "unallowed box $list" email@localdomain ; done

fetch list from snmp enabled switch:
snmpwalk -Cc -v2c -c public switch.localdomain ipNetToMediaPhysAddress | /usr/bin/sed 's/.*ss\.[0-9]*\.//' | awk '{ print $1,$4}'  | while read list ; do grep "$list" /root/allowed-mac-ip || echo "Unallowed $list" | mail -s "unallowed box $list" email@localdomain ; done

Run the line one time and add the lines you get in the first mails in the /root/allowed-mac-ips file.

file: allowed-mac-ips
10.20.5.112 0:16:ea:a3:28:54
10.20.5.50 0:1b:21:21:41:66
10.20.5.1 0:18:8d:5:3d:c1
10.20.5.250 0:c:6e:1:e8:8f
10.20.5.100 0:16:d3:c8:2e:92
10.20.5.106 0:e:9b:53:3c:e
10.20.5.103 0:e:2e:ef:6d:ea
10.20.5.104 0:13:e8:72:f8:8f

/lbl

Keep it simple.


----------

