[svlug] arpwatch

[Dave Zarzycki]

On Tue, 10 Nov 1998, Alvin Oga wrote:

> >From arpwatch on chipmunk ( *.41 ):
> 	-
> 	- have shitloads of them for each new host found
> 	- since arpwatch running the first time...
> 	-
> 	Return-Path: <root>
> 	Date: Tue, 10 Nov 1998 04:41:11 -0800
> 	To: root at chipmunk
> 	Subject: new station (planet.fef.com)
> 
> 	            hostname: planet.fef.com
> 	          ip address: 198.147.196.14
> 	    ethernet address: 0:40:5:1b:d7:3c
> 	     ethernet vendor: TRENDware International Inc.; Linksys; Simple Net; all three reported
> 	           timestamp: Tuesday, November 10, 1998 4:40:06 -0800
> 
> and other NICs/hosts found on the local LAN has our local ip# but
> with domain names we do not support...that I know of...

Err. I suggest that you know who is or is not on your LAN before anything else.

> and of course netstat, ls, top, route, ifconfig etc does not show the
> "unknown domains"...

I don't see any reason why they would, it's not as if the machine in
question is connecting to you.
 
> > > arpwatch comes by default? on rh-5.2...
> > 
> > And this is a *big* mistake for cable modem users. You will get a few
> > thousands messages to root the first day or so as arpwatch builds it's
> > database, and probably a few hundred a week as all sorts of ARP oddities
> > happen on the network. Unless you are ultra paranoid, arpwatch will drive
> > you nuts.
> 
> if it reports "new connections"...I don't mind...

It's not new connections, arpwatch is simply looking at the ARP activity on your local ethernet.

> it does fill up /var/log/messages... guess we can remove them later...
> or disable logging into messages....
> 
> I like to know when a new NIC or host is added to the LAN...

That is the goal of arpwatch, among other things.

davez



--
echo "unsubscribe svlug" | mail majordomo at svlug.org
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ to unsubscribe