[svlug] arpwatch

[Alvin Oga]

hi ya Dave...

thanx for your reply...

> > what does it mean when arpwatch catches and reports
> > a (new) IP#/MAC address of the ethernet cards on
> > our local LAN for domain names we don't support ???
> 
> Huh? Could I see the message that it literally sends root? What is the
> interface of the machine in question connected to?

>From arpwatch on chipmunk ( *.41 ):
	-
	- have shitloads of them for each new host found
	- since arpwatch running the first time...
	-
	Return-Path: <root>
	Date: Tue, 10 Nov 1998 04:41:11 -0800
	To: root at chipmunk
	Subject: new station (planet.fef.com)

	            hostname: planet.fef.com
	          ip address: 198.147.196.14
	    ethernet address: 0:40:5:1b:d7:3c
	     ethernet vendor: TRENDware International Inc.; Linksys; Simple Net; all three reported
	           timestamp: Tuesday, November 10, 1998 4:40:06 -0800

and other NICs/hosts found on the local LAN has our local ip# but
with domain names we do not support...that I know of...

and of course netstat, ls, top, route, ifconfig etc does not show the
"unknown domains"...

> > arpwatch comes by default? on rh-5.2...
> 
> And this is a *big* mistake for cable modem users. You will get a few
> thousands messages to root the first day or so as arpwatch builds it's
> database, and probably a few hundred a week as all sorts of ARP oddities
> happen on the network. Unless you are ultra paranoid, arpwatch will drive
> you nuts.

if it reports "new connections"...I don't mind...

it does fill up /var/log/messages... guess we can remove them later...
or disable logging into messages....

I like to know when a new NIC or host is added to the LAN...

thanx
alvin

--
echo "unsubscribe svlug" | mail majordomo at svlug.org
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ to unsubscribe