[clue] [tech] arpwatch patch to exclude DHCP range of IP addresses
Jim Ockers
ockers at ockers.net
Mon Mar 4 10:26:14 MST 2013
Hi CLUEbies,
I installed arpwatch on a CentOS6 system on a network I manage to try to
figure out when someone connects something to the network that steps on
one of the IP addresses of a server. For important servers (e.g. iSCSI
SAN initiator or target), having an IP conflict is Bad. The Arpwatch
that comes with CentOS works fine out of the box. It maintains an ARP
table and notifies me via e-mail whenever an IP address changes MAC
addresses, among other things. It sends a lot of e-mails.
The problem is that frankly I don't care if an IP address in the DHCP
range changes MAC addresses. DHCP addresses are dynamic and it's
perfectly fine if another one of these changes MAC addresses. There are
150 IPs in this DHCP range which is not a subnet (it does not fall on
any subnet boundaries). The DHCP IPs are all in the same subnet as the
rest of the network. I don't want to get an e-mail from arpwatch every
time something requests and gets an IP address, which used to be leased
to something else, in the DHCP range of IPs.
Does anyone have any great ideas how to do this? This is apparently a
lot harder than it seems. Here's what I've tried or looked at so far:
There seems to be no really good way to get arpwatch to ignore MAC
changes in a DHCP range. The suggestions I've found when googling are:
* Configure the mail-sending program, or the mail-receiving program,
to filter out messages from arpwatch that match one of these IP
addresses. This is great, I would only have to manually code 150
mail filters, one for each IP.
* Recompile arpwatch, if I could find a usable patch. Even if I
could, the patch would be huge and ungainly, because it seems that a
pcap capture filter is required.
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=272779 This might
work I suppose, assuming that the pcap_compile function will accept
a 5,000 character capture filter.
I see that Debian's arpwatch might also have a -z option to exclude a
subnet. From looking at the code I think that the problem is that
arpwatch uses libpcap, with a (arp or rarp) capture filter, to do its
packet capturing. To get pcap to ignore a range of IPs, you would wind
up with a huge pcap capture filter like this:
(arp or rarp) and not host 192.168.1.100 and not host 192.168.1.101 and
not host 192.168.1.102 and not host 192.168.1.103 and so on and so forth
ad nauseum.
This ServerFault article shows examples of a big pcap capture filter to
exclude subnets:
http://serverfault.com/questions/123540/tcpdump-filter-that-excludes-private-ip-traffic
Thanks,
Jim
--
Jim Ockers, P.E., P.Eng. (ockers at ockers.net)
Contact info: http://www.ockers.net/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cluedenver.org/pipermail/clue/attachments/20130304/8152a1d8/attachment.html
More information about the clue
mailing list