The switch port counters have stopped incrementing while traffic is flowing.
# arpwatch 2.1a15 # =============== # According to the Change Log, other than 2.1a15 in June 2006, arpwatch # hadn't been updated since 1997.
I # haven't tried my patch below since 2.1a13 # Prerequisites: # libpcap cd test -f installed/arpwatch-2.1a15gz && mv installed/arpwatch-2.1a15gz . -f arpwatch-2.1a15gz && wget ftp://lbl.gov/arpwatch-2.1a15gz mkdir -p -m 0700 src cd src find -maxdepth 1 -type d -name "arpwatch-*" -exec rm -r \; tar xzvf ~/arpwatch-2.1a15gz cd arpwatch-2.1a15 test $UID = 0 && chown -R root:root . # If you're going to run it on multiple interfaces, you might want to try # my patch that changes the program name in syslog to something like # arpwatch-int0 so you know which interface the logging is about # (if not, skip this part).
Package: arpwatch Version: 2.1a15-1.1 Severity: important Tags: upstream When running arpwatch on a plain Ethernet interface when packets with 802.1Q VLAN tags are present, arpwatch syslogs an error of the form: sent bad hardware format ...
An example of this can be seen by performing a nmap scan of a local network.
This is just annoying "noise" which we would like Ne Di to discard, because it's perfectly normal.arpwatch NG 1.5: try to report error on startup better _ _ [FIXED] arpwatch NG 1.4: try to report _all anomalities via the report function _not syslog [FIXED] mode 2 _ make action list parseable [FIXED] further static’fy local functions in arpwatch.c [FIXED] ethercodes updated from nmap-4.11 and removed old ones [UPDATED] arpwatch NG 1.2: on make install also install man-pages [FIXED] ethercodes updated from nmap-4.00 [UPDATED] You can download the latest version of ARPWatch here.For security reasons it is strongly recommended to configure the Ne Di server with a non-public IP-address, primarily to avoid making the web server a target of attack from the Internet.If you're looking for something in # active development (or at least something with more recent development), # check out arpwatch-ng.# # I use -ng now, so any further updates to this howto will most likely just # be updates to the tarball file name if new versions are released.But there's no possible to do that generally, and i've had to disable arpwatch on some server to prevent logfile hog, because i've a ''duble LAN configuration, one on a phisical interface (eth0) and one on a vlan over that (eth0.666). I don't know if there's some iptables rule that are able to filter VLAN-ed ARP request on the main interface, without breaking all the ARP resolution protocol. This might not be ideal (what about 802.1p priority-only tags? ) but it is certainly better than the existing situation.