From owner-freebsd-questions Wed Sep 4 16:18:01 1996 Return-Path: owner-questions Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id QAA08712 for questions-outgoing; Wed, 4 Sep 1996 16:18:01 -0700 (PDT) Received: from jack.Colorado.EDU (jack.Colorado.EDU [128.138.149.29]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id QAA08707 for ; Wed, 4 Sep 1996 16:17:59 -0700 (PDT) Received: from jack (localhost [127.0.0.1]) by jack.Colorado.EDU (8.7.5/8.7.3/CNS-4.0p) with SMTP id RAA16229; Wed, 4 Sep 1996 17:17:43 -0600 (MDT) Message-ID: <322E0E17.9E9@Colorado.EDU> Date: Wed, 04 Sep 1996 17:17:43 -0600 From: "Mark O'Lear" Organization: University of Colorado X-Mailer: Mozilla 3.0 (X11; I; SunOS 5.4 sun4m) MIME-Version: 1.0 To: Dan Nelson CC: "Daniel M. Eischen" , paul@nation-net.com, questions@freebsd.org Subject: Re: arp info overwritten References: <199609041533.KAA08591@dan.emsphone.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-questions@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Dan Nelson wrote: > > in the last episode, Daniel M. Eischen said: > > > Is this message anything to worry about? > > > The 2 IPs are machines in our class C. > > > > > > arp info overwritten for 194.159.125.100 by 00:05:02:44:5f:d1 > > > arp info overwritten for 194.159.125.110 by 00:05:02:54:3f:54 > > > > Well, it depends on if you use those machines or not ;-) > > > > We've got a couple of FreeBSD PCs sitting in a building full of PCs > > and Macs in the same subnet. We see this happen at least once a > > month and logged by our FreeBSD PCs. Usually we can determine which > > machines are at fault by using tcpdump on the affected ethernet MAC > > addresses and by browsing shared DIRs (and similar > > [...] > > I don't know any other way of doing it (unless the adminstrators have > > a list of all the machines and their MAC addresses). Maybe there's a > > better way? > > If you keep a list of the ethernet addresses of all your machines in > /etc/ethers, the following patch will let the arp command display > ethernet addresses symbolically. Then you can ping your broadcast > address to fill your route/arp table, and display the results with arp > -a. A similar patch could probably be made to netstat (for the -r > output). > > for example, my machine arps as > > dan.emsphone.com (199.67.51.101) at E_dan permanent > > since in /etc/ethers, I have > > 00:00:c0:ed:34:c7 E_dan > > -Dan Nelson > dnelson@emsphone.com > > --- /usr/src/usr.sbin/arp/arp.c Thu Feb 8 15:05:52 1996 > +++ /usr/tmp/arp.c Mon Jul 29 18:07:03 1996 > @@ -441,10 +441,18 @@ > } > } > > +/* > + * Print an ethernet address in symbolic form, or numeric if there is no name > + */ > void > ether_print(u_char *cp) > { > + char name[100]; > + > + if (ether_ntohost(name, cp)) > printf("%x:%x:%x:%x:%x:%x", cp[0], cp[1], cp[2], cp[3], cp[4], cp[5]); > + else > + printf("%s", name); > } > > int I would recommend arpwatch (from the makers of tcpdump) at: ftp://ftp.ee.lbl.gov/arpwatch.tar.Z This is VERY helpful. It listens for arp replies and e-mails you (root) when anything changes. It also keeps a database of all ethernet addresses and IP addresses in use on your system. You will probably need to get the follow as well: ftp://ftp.ee.lbl.gov/libpcap.tar.Z Anyway arpwatch can be added to FreeBSD in the future? -- Mark O'Lear \ e-mail: Mark.Olear@Colorado.EDU University of Colorado \ phone: (303) 492-3798 Telecomm. Svcs. (CB 313) \ fax: (303) 492-5105 Boulder, CO 80309 \