Date: Wed, 04 Sep 1996 17:17:43 -0600 From: "Mark O'Lear" <Mark.Olear@Colorado.EDU> To: Dan Nelson <dnelson@emsphone.com> Cc: "Daniel M. Eischen" <deischen@iworks.InterWorks.org>, paul@nation-net.com, questions@freebsd.org Subject: Re: arp info overwritten Message-ID: <322E0E17.9E9@Colorado.EDU> References: <199609041533.KAA08591@dan.emsphone.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Dan Nelson wrote:
>
> in the last episode, Daniel M. Eischen said:
> > > Is this message anything to worry about?
> > > The 2 IPs are machines in our class C.
> > >
> > > arp info overwritten for 194.159.125.100 by 00:05:02:44:5f:d1
> > > arp info overwritten for 194.159.125.110 by 00:05:02:54:3f:54
> >
> > Well, it depends on if you use those machines or not ;-)
> >
> > We've got a couple of FreeBSD PCs sitting in a building full of PCs
> > and Macs in the same subnet. We see this happen at least once a
> > month and logged by our FreeBSD PCs. Usually we can determine which
> > machines are at fault by using tcpdump on the affected ethernet MAC
> > addresses and by browsing shared DIRs (and similar
> > [...]
> > I don't know any other way of doing it (unless the adminstrators have
> > a list of all the machines and their MAC addresses). Maybe there's a
> > better way?
>
> If you keep a list of the ethernet addresses of all your machines in
> /etc/ethers, the following patch will let the arp command display
> ethernet addresses symbolically. Then you can ping your broadcast
> address to fill your route/arp table, and display the results with arp
> -a. A similar patch could probably be made to netstat (for the -r
> output).
>
> for example, my machine arps as
>
> dan.emsphone.com (199.67.51.101) at E_dan permanent
>
> since in /etc/ethers, I have
>
> 00:00:c0:ed:34:c7 E_dan
>
> -Dan Nelson
> dnelson@emsphone.com
>
> --- /usr/src/usr.sbin/arp/arp.c Thu Feb 8 15:05:52 1996
> +++ /usr/tmp/arp.c Mon Jul 29 18:07:03 1996
> @@ -441,10 +441,18 @@
> }
> }
>
> +/*
> + * Print an ethernet address in symbolic form, or numeric if there is no name
> + */
> void
> ether_print(u_char *cp)
> {
> + char name[100];
> +
> + if (ether_ntohost(name, cp))
> printf("%x:%x:%x:%x:%x:%x", cp[0], cp[1], cp[2], cp[3], cp[4], cp[5]);
> + else
> + printf("%s", name);
> }
>
> int
I would recommend arpwatch (from the makers of tcpdump) at:
ftp://ftp.ee.lbl.gov/arpwatch.tar.Z
This is VERY helpful. It listens for arp replies and e-mails
you (root) when anything changes. It also keeps a database
of all ethernet addresses and IP addresses in use on your
system. You will probably need to get the follow as well:
ftp://ftp.ee.lbl.gov/libpcap.tar.Z
Anyway arpwatch can be added to FreeBSD in the future?
--
Mark O'Lear \ e-mail: Mark.Olear@Colorado.EDU
University of Colorado \ phone: (303) 492-3798
Telecomm. Svcs. (CB 313) \ fax: (303) 492-5105
Boulder, CO 80309 \
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?322E0E17.9E9>