Projects / arpwatch NG

arpwatch NG

The arpwatch NG package contains arpwatch and arpsnmp. Both utilities monitor Ethernet or FDDI network traffic and build databases of Ethernet/IP address pairs, and can report certain changes. It is based upon the original, but old, arpwatch package.

Tags
Licenses
Operating Systems

RSS Recent releases

  •  07 Mar 2007 13:55

Release Notes: The autoconf system has been updated to fully support x86_64.

  •  27 Dec 2006 13:26

Release Notes: All report mode related information has been consolidated into one central report function table to allow for easy customization.

  •  20 Oct 2006 14:17

Release Notes: The error reporting on startup has been improved.

  •  29 Sep 2006 07:45

Release Notes: This release fixes bugs related to the new functionality added in the previous version.

  •  21 Sep 2006 04:17

Release Notes: The reporting system was reworked so that all errors should be reported using the currect active reporting method. The ethercodes database was updated. Minor code cleanups were done.

RSS Recent comments

08 Feb 2011 11:56 hotten Thumbs up

Hi,

I made arpwatch-ng vlan aware. It is a quick and dirty hack but it works.
We use it to monitor a trunk on our core. We do not need to change any OS/arpwatch configuration when a vlan is added.

--- /arpwatch.c 2006-11-09 10:15:23.000000000 -0100
+++ arpwatch.c 2011-02-08 12:52:02.000000000 -0100
@@ -120,6 +120,15 @@
u_int32_t netmask;
};

+// Vlan header
+struct ether_tag_header {
+ u_char ether_dhost[6];
+ u_char ether_shost[6];
+ u_char ether_tag[4];
+ u_short ether_type;
+
+};
+
static struct nets *nets;
static int nets_ind;
static int nets_size;
@@ -131,7 +140,7 @@
/* Forwards */
static void process_ether(u_char *, const struct pcap_pkthdr *, const u_char *);
static void process_fddi(u_char *, const struct pcap_pkthdr *, const u_char *);
-static int sanity_ether(struct ether_header *, struct ether_arp *, int, time_t *);
+static int sanity_ether(struct ether_tag_header *, struct ether_arp *, int, time_t *);
static int sanity_fddi(struct fddi_header *, struct ether_arp *, int, time_t *);
static int isbogon(u_int32_t);
static int addnet(const char *);
@@ -155,7 +164,8 @@

char errbuf[PCAP_ERRBUF_SIZE];
/* this is the default filter: only arp or rarp traffic */
- char pcap_filter[512]={"(arp or rarp)"};
+ // Added it must be tagged 802.1q
+ char pcap_filter[512]={"vlan and (arp or rarp)"};

/* default report mode is 0 == old style */
int report_mode=0;
@@ -281,7 +291,7 @@
netmask=0;
}

- snaplen = max(sizeof(struct ether_header), sizeof(struct fddi_header)) + sizeof(struct ether_arp);
+ snaplen = max(sizeof(struct ether_tag_header), sizeof(struct fddi_header)) + sizeof(struct ether_arp);
timeout = 1000;

pd = pcap_open_live(interface, snaplen, !nopromisc, timeout, errbuf);
@@ -409,17 +419,22 @@
{
struct ether_header *eh;
struct ether_arp *ea;
+
+ // declare our pointer
+ struct ether_tag_header *eth;
+
u_char *sea, *sha;
time_t t;
u_int32_t sia;

- eh = (struct ether_header *)p;
- ea = (struct ether_arp *)(eh + 1);
+ eth = (struct ether_tag_header *)p;
+ eh = (struct ether_tag_header *)eth;
+ ea = (struct ether_arp *)(eth+1);

/* extract time of observation */
t=h->ts.tv_sec;

- if(!sanity_ether(eh, ea, h->caplen, &t))
+ if(!sanity_ether(eth, ea, h->caplen, &t))
return;

/* Source hardware ethernet address */
@@ -459,17 +474,21 @@
}

/* Perform sanity checks on an ethernet arp/rarp packet, return true if ok */
-static int sanity_ether(struct ether_header *eh, struct ether_arp *ea, int len, time_t *t)
+static int sanity_ether(struct ether_tag_header *eth, struct ether_arp *ea, int len, time_t *t)
{
+ // cast this way i do not have to change all the code
+ struct ether_header *eh = (struct ether_header *) eth;
+
/* XXX use bsd style ether_header to avoid messy ifdef's */
struct bsd_ether_header {
u_char ether_dhost[6];
u_char ether_shost[6];
u_short ether_type;
};
- u_char *shost = ((struct bsd_ether_header *)eh)->ether_shost;
+ u_char *shost = ((struct bsd_ether_header *)eh)->ether_shost;

- eh->ether_type = ntohs(eh->ether_type);
+ // Overwrite the vlan type 0x8100 with the payload ethertype
+ eh->ether_type = ntohs(eth->ether_type);
ea->arp_hrd = ntohs(ea->arp_hrd);
ea->arp_pro = ntohs(ea->arp_pro);
ea->arp_op = ntohs(ea->arp_op);

13 Jun 2010 09:49 fhanzlik

Please, can arpwatch-ng recognize VLANs?
I just use old arpwatch on Fedora, I want monitor eth0 interface, and at this interface is also configuted several VLANs (see ip config below). And arpwatch log fills with messages like:

arpwatch: 0:9:41:be:1a:dd sent bad hardware format 0x9

where 0x9 is VLAN number. These messages perhaps isn't possible suppress. Would it be better, when I use arpwatch-ng?
Thanks in advance, franta na hanzlici.cz
Interfaces:
# ip addr
1: lo: mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth0: mtu 1500 qdisc mq state UP qlen 1000
link/ether d8:d3:85:dd:c2:90 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.202/16 brd 192.168.255.255 scope global eth0
3: eth1: mtu 1500 qdisc mq state UP qlen 100
link/ether d8:d3:85:dd:c2:91 brd ff:ff:ff:ff:ff:ff
inet 198.33.85.25/29 brd 198.33.85.31 scope global eth1
inet 198.33.85.27/29 brd 198.33.85.31 scope global secondary eth1:0
4: vlan9@eth0: mtu 1500 qdisc noqueue state UP
link/ether d8:d3:85:dd:c2:90 brd ff:ff:ff:ff:ff:ff
inet 172.17.9.200/24 brd 172.17.9.255 scope global vlan9

Screenshot

Project Spotlight

Template Data Interface (TDI)

A powerful markup template system for Python.

Screenshot

Project Spotlight

Orthanc

A lightweight, RESTful server for medical imaging.