[clue] [tech] arpwatch patch to exclude DHCP range of IP addresses

Jim Ockers ockers at ockers.net
Mon Mar 4 10:26:14 MST 2013 

Hi CLUEbies,

I installed arpwatch on a CentOS6 system on a network I manage to try to 
figure out when someone connects something to the network that steps on 
one of the IP addresses of a server.  For important servers (e.g. iSCSI 
SAN initiator or target), having an IP conflict is Bad.  The Arpwatch 
that comes with CentOS works fine out of the box.  It maintains an ARP 
table and notifies me via e-mail whenever an IP address changes MAC 
addresses, among other things.  It sends a lot of e-mails.

The problem is that frankly I don't care if an IP address in the DHCP 
range changes MAC addresses.  DHCP addresses are dynamic and it's 
perfectly fine if another one of these changes MAC addresses. There are 
150 IPs in this DHCP range which is not a subnet (it does not fall on 
any subnet boundaries).  The DHCP IPs are all in the same subnet as the 
rest of the network.  I don't want to get an e-mail from arpwatch every 
time something requests and gets an IP address, which used to be leased 
to something else, in the DHCP range of IPs.

Does anyone have any great ideas how to do this?  This is apparently a 
lot harder than it seems.  Here's what I've tried or looked at so far:

There seems to be no really good way to get arpwatch to ignore MAC 
changes in a DHCP range.  The suggestions I've found when googling are:

  * Configure the mail-sending program, or the mail-receiving program,
    to filter out messages from arpwatch that match one of these IP
    addresses.  This is great, I would only have to manually code 150
    mail filters, one for each IP.
  * Recompile arpwatch, if I could find a usable patch.  Even if I
    could, the patch would be huge and ungainly, because it seems that a
    pcap capture filter is required.
    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=272779  This might
    work I suppose, assuming that the pcap_compile function will accept
    a 5,000 character capture filter.

I see that Debian's arpwatch might also have a -z option to exclude a 
subnet.  From looking at the code I think that the problem is that 
arpwatch uses libpcap, with a (arp or rarp) capture filter, to do its 
packet capturing.  To get pcap to ignore a range of IPs, you would wind 
up with a huge pcap capture filter like this:

(arp or rarp) and not host 192.168.1.100 and not host 192.168.1.101 and 
not host 192.168.1.102 and not host 192.168.1.103 and so on and so forth 
ad nauseum.

This ServerFault article shows examples of a big pcap capture filter to 
exclude subnets: 
http://serverfault.com/questions/123540/tcpdump-filter-that-excludes-private-ip-traffic

Thanks,
Jim

--
Jim Ockers, P.E., P.Eng. (ockers at ockers.net)
Contact info: http://www.ockers.net/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cluedenver.org/pipermail/clue/attachments/20130304/8152a1d8/attachment.html

More information about the clue mailing list