Tuesday, January 31, 2012

arpwatch on multiple interfaces

I'm regularly using arpwatch on all servers I install in order to track MAC changes and to notice potential MAC spoofings. But the problem is that on CentOS 6.2 the startup script shipped with arpwatch (package arpwatch-2.1a15-14.el6.x86_64) doesn't support multiple interfaces. More specifically, I can tell arpwatch on which interface to listen by modifying OPTIONS variable in /etc/sysconfig/arpwatch file and inserting -i <interface> option. But, I'm still restricted to a single interface. That is, it is possible to specify multiple -i options, but arpwatch still listens only on a single interface. I checked that in the source (version 2.1a15), and the last -i command is in effect, the previous one's are ignored.

So, I modified startup script so that it now accepts INTERFACES variable within /etc/syconfig/arpwatch configuration file and starts arpwatch on each specified interface. If this variable isn't defined then it behaves as before. For example, to start it on interfaces eth0 and eth1 you should add the following line in /etc/syconfig/arpwatch:
INTERFACES="eth0 eth1" 
The basic idea behind this change is to start arpwatch tool multiple times, once per each specified interface. Also, to each instance I give different database (arp.dat) so that multiple instances don't overwrite each other data.

Note that the script is a bit rough on edges, i.e. it properly behaves during startup phase, but not on shudown. Also, I embedded fixed path to data files. I'll improve this script in a due course when I find more time, or when it turns out that it's necessary to do so. :)

[20120203] Update: I had a an error in script because of which database files were placed in wrong directory and, as a consequence, arpwatch couldn't write database when it was exiting. Now, the script is updated and it works, furthermore, I tested stoping arpwatch using that script and it also works

3 comments:

-_-_-_ said...

Hi,
same arpwatch package.

it seems that the "-i" switch creates problems, my arpwatch istances seems started but in messages I have:

Jan 10 12:20:48 fairplay arpwatch: pcap open eth0: #001
Jan 10 12:20:48 fairplay arpwatch: pcap open eth1: #001

and, of course, no istances of arpwatch running....
if I use arpwatch without -i switch, all is OK, of course.. I have it only on eth0...

Stjepan Groš (sgros) said...

Something else is a problem, not -i switch. As you can see from the log files, arpwatch correctly started to listen on different interfaces (i.e. recognized -i switch) but for some reasons it stopped.

Try to manually run arpwatch on eth1 interface using -i switch and see what will happen.

-_-_-_ said...

the problem, but don't ask me which problem, is in the fedora FC18 package.

I had to recompile it from sourcer and now is correctly working.

About Me

scientist, consultant, security specialist, networking guy, system administrator, philosopher ;)

Blog Archive