Comments for arpwatch NG
Please, can arpwatch-ng recognize VLANs?
I just use old arpwatch on Fedora, I want monitor eth0 interface, and at this interface is also configuted several VLANs (see ip config below). And arpwatch log fills with messages like:
arpwatch: 0:9:41:be:1a:dd sent bad hardware format 0x9
where 0x9 is VLAN number. These messages perhaps isn't possible suppress. Would it be better, when I use arpwatch-ng?
Thanks in advance, franta na hanzlici.cz
Interfaces:
# ip addr
1: lo: mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth0: mtu 1500 qdisc mq state UP qlen 1000
link/ether d8:d3:85:dd:c2:90 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.202/16 brd 192.168.255.255 scope global eth0
3: eth1: mtu 1500 qdisc mq state UP qlen 100
link/ether d8:d3:85:dd:c2:91 brd ff:ff:ff:ff:ff:ff
inet 198.33.85.25/29 brd 198.33.85.31 scope global eth1
inet 198.33.85.27/29 brd 198.33.85.31 scope global secondary eth1:0
4: vlan9@eth0: mtu 1500 qdisc noqueue state UP
link/ether d8:d3:85:dd:c2:90 brd ff:ff:ff:ff:ff:ff
inet 172.17.9.200/24 brd 172.17.9.255 scope global vlan9
Hi,
I made arpwatch-ng vlan aware. It is a quick and dirty hack but it works.
We use it to monitor a trunk on our core. We do not need to change any OS/arpwatch configuration when a vlan is added.
--- /arpwatch.c 2006-11-09 10:15:23.000000000 -0100
+++ arpwatch.c 2011-02-08 12:52:02.000000000 -0100
@@ -120,6 +120,15 @@
u_int32_t netmask;
};
+// Vlan header
+struct ether_tag_header {
+ u_char ether_dhost[6];
+ u_char ether_shost[6];
+ u_char ether_tag[4];
+ u_short ether_type;
+
+};
+
static struct nets *nets;
static int nets_ind;
static int nets_size;
@@ -131,7 +140,7 @@
/* Forwards */
static void process_ether(u_char *, const struct pcap_pkthdr *, const u_char *);
static void process_fddi(u_char *, const struct pcap_pkthdr *, const u_char *);
-static int sanity_ether(struct ether_header *, struct ether_arp *, int, time_t *);
+static int sanity_ether(struct ether_tag_header *, struct ether_arp *, int, time_t *);
static int sanity_fddi(struct fddi_header *, struct ether_arp *, int, time_t *);
static int isbogon(u_int32_t);
static int addnet(const char *);
@@ -155,7 +164,8 @@
char errbuf[PCAP_ERRBUF_SIZE];
/* this is the default filter: only arp or rarp traffic */
- char pcap_filter[512]={"(arp or rarp)"};
+ // Added it must be tagged 802.1q
+ char pcap_filter[512]={"vlan and (arp or rarp)"};
/* default report mode is 0 == old style */
int report_mode=0;
@@ -281,7 +291,7 @@
netmask=0;
}
- snaplen = max(sizeof(struct ether_header), sizeof(struct fddi_header)) + sizeof(struct ether_arp);
+ snaplen = max(sizeof(struct ether_tag_header), sizeof(struct fddi_header)) + sizeof(struct ether_arp);
timeout = 1000;
pd = pcap_open_live(interface, snaplen, !nopromisc, timeout, errbuf);
@@ -409,17 +419,22 @@
{
struct ether_header *eh;
struct ether_arp *ea;
+
+ // declare our pointer
+ struct ether_tag_header *eth;
+
u_char *sea, *sha;
time_t t;
u_int32_t sia;
- eh = (struct ether_header *)p;
- ea = (struct ether_arp *)(eh + 1);
+ eth = (struct ether_tag_header *)p;
+ eh = (struct ether_tag_header *)eth;
+ ea = (struct ether_arp *)(eth+1);
/* extract time of observation */
t=h->ts.tv_sec;
- if(!sanity_ether(eh, ea, h->caplen, &t))
+ if(!sanity_ether(eth, ea, h->caplen, &t))
return;
/* Source hardware ethernet address */
@@ -459,17 +474,21 @@
}
/* Perform sanity checks on an ethernet arp/rarp packet, return true if ok */
-static int sanity_ether(struct ether_header *eh, struct ether_arp *ea, int len, time_t *t)
+static int sanity_ether(struct ether_tag_header *eth, struct ether_arp *ea, int len, time_t *t)
{
+ // cast this way i do not have to change all the code
+ struct ether_header *eh = (struct ether_header *) eth;
+
/* XXX use bsd style ether_header to avoid messy ifdef's */
struct bsd_ether_header {
u_char ether_dhost[6];
u_char ether_shost[6];
u_short ether_type;
};
- u_char *shost = ((struct bsd_ether_header *)eh)->ether_shost;
+ u_char *shost = ((struct bsd_ether_header *)eh)->ether_shost;
- eh->ether_type = ntohs(eh->ether_type);
+ // Overwrite the vlan type 0x8100 with the payload ethertype
+ eh->ether_type = ntohs(eth->ether_type);
ea->arp_hrd = ntohs(ea->arp_hrd);
ea->arp_pro = ntohs(ea->arp_pro);
ea->arp_op = ntohs(ea->arp_op);