Date: Wed, 04 Sep 1996 17:17:43 -0600 From: "Mark O'Lear" <Mark.Olear@Colorado.EDU> To: Dan Nelson <dnelson@emsphone.com> Cc: "Daniel M. Eischen" <deischen@iworks.InterWorks.org>, paul@nation-net.com, questions@freebsd.org Subject: Re: arp info overwritten Message-ID: <322E0E17.9E9@Colorado.EDU> References: <199609041533.KAA08591@dan.emsphone.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Dan Nelson wrote: > > in the last episode, Daniel M. Eischen said: > > > Is this message anything to worry about? > > > The 2 IPs are machines in our class C. > > > > > > arp info overwritten for 194.159.125.100 by 00:05:02:44:5f:d1 > > > arp info overwritten for 194.159.125.110 by 00:05:02:54:3f:54 > > > > Well, it depends on if you use those machines or not ;-) > > > > We've got a couple of FreeBSD PCs sitting in a building full of PCs > > and Macs in the same subnet. We see this happen at least once a > > month and logged by our FreeBSD PCs. Usually we can determine which > > machines are at fault by using tcpdump on the affected ethernet MAC > > addresses and by browsing shared DIRs (and similar > > [...] > > I don't know any other way of doing it (unless the adminstrators have > > a list of all the machines and their MAC addresses). Maybe there's a > > better way? > > If you keep a list of the ethernet addresses of all your machines in > /etc/ethers, the following patch will let the arp command display > ethernet addresses symbolically. Then you can ping your broadcast > address to fill your route/arp table, and display the results with arp > -a. A similar patch could probably be made to netstat (for the -r > output). > > for example, my machine arps as > > dan.emsphone.com (199.67.51.101) at E_dan permanent > > since in /etc/ethers, I have > > 00:00:c0:ed:34:c7 E_dan > > -Dan Nelson > dnelson@emsphone.com > > --- /usr/src/usr.sbin/arp/arp.c Thu Feb 8 15:05:52 1996 > +++ /usr/tmp/arp.c Mon Jul 29 18:07:03 1996 > @@ -441,10 +441,18 @@ > } > } > > +/* > + * Print an ethernet address in symbolic form, or numeric if there is no name > + */ > void > ether_print(u_char *cp) > { > + char name[100]; > + > + if (ether_ntohost(name, cp)) > printf("%x:%x:%x:%x:%x:%x", cp[0], cp[1], cp[2], cp[3], cp[4], cp[5]); > + else > + printf("%s", name); > } > > int I would recommend arpwatch (from the makers of tcpdump) at: ftp://ftp.ee.lbl.gov/arpwatch.tar.Z This is VERY helpful. It listens for arp replies and e-mails you (root) when anything changes. It also keeps a database of all ethernet addresses and IP addresses in use on your system. You will probably need to get the follow as well: ftp://ftp.ee.lbl.gov/libpcap.tar.Z Anyway arpwatch can be added to FreeBSD in the future? -- Mark O'Lear \ e-mail: Mark.Olear@Colorado.EDU University of Colorado \ phone: (303) 492-3798 Telecomm. Svcs. (CB 313) \ fax: (303) 492-5105 Boulder, CO 80309 \
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?322E0E17.9E9>