ARPHOUND

Section: Maintenance Commands (8)
Updated: Last change: 21 October 2003
Index Return to Main Contents

 

NAME

ArpHound - Description

 

SYNOPSIS

arphound [OPTIONS]

 

DESCRIPTION

arphound is a tools that listens to all traffic on a network interface and reports IP/MAC address pair as well as events such as IP conflict, IP changes, IP addresses with no RDNS, various ARP spoofing and packets not using the expected gateway.

 

OPTIONS

-c file
use specified configuration file instead of default one

-f file
also log to file

-ns
do not log to syslog

-nd
do not run as a daemon

-ndisc
do not log discovery of new IP/MAC pairs when there is neither conflict nor IP change

-nout
do not log ARP requests from IP outside subnet

-ndns
do not log IP with no RDNS

-ch x
minimum interval in seconds between two logs entry when a MAC uses multiples IP

-co x
min log interval between ip conflicts notification

-tr x
min log interval between two notifications of any trouble involving the same IP/MAC addresses

 

LOG OUTPUT

The output format is standardised to ease parsing. Each line starts with a timestamp followed by a string identifying the log event followed by its parameters, separated by a semicolon. A '!' in the first parameter means the event concerns IP or MAC defined as critical in the configuration file. A 'c' in the first parameter means the event is a continuation of a previous event. The last parameter of most events, named count here, represents the number of time a packet triggering the event was seen since last log.

DISCOVER; IP; MAC
A new entry has been found. MAC is in the xx:xx:xx:xx:xx:xx form.

DNS; ; IP; MAC
Specified MAC does not have any DNS entry.

DHCPREQUEST; ; MAC
DHCPREPLY; ; MAC
Specified MAC emitted a DHCP request/reply.

DHCPSERVER; ; MAC
A DHCP reply is not coming from a known DHCP server.

IPCHANGE; ; MAC; count; fastest; LastIP; FormerIP; OtherIPs...
A MAC address has had several IPs, count beeing the number of IP change occurence fastest beeing the shortest period between two changes.

IPCONFLICT; ; IP; MAC1; MAC2; ...
Several MAC addresses have the same IP. Only the MAC addresses seen using the IP since last log event are displayed.

ARPREQUEST_OUT; ; MAC; IP; count
ARPREPLY_OUT; ; MAC; IP; count
An ARP request or reply for an IP outside subnet.

ARPREQUEST_SOURCE_MISMATCH; ; MACsource; MACtobetold; IP; count
An ARP request was emmited by MACsource for IP, but with the 'reply-to' field set to MACtobetold.

ARPREPLY_SOURCE_MISMATCH; ; MACsource; MACanwsered; IP; count
An ARP reply emited by MACsource tells that IP belongs to MACanswered, which is different from MACsource.

ARPREPLY_BROADCAST; ; MACsource; MACreplyed; IP; count
An ARP reply telling that IP belongs to MACreplyed was broadcasted. This is very likely a gratuitous ARP, which is another word for spoofing.

PACKET_DESTINATION_MISMATCH; ; MACsource; MACtarget; IPtarget; count
A packet is destinated outside subnet but is not using the MAC of a registered gateway.

PACKET_SOURCE_MISMATCH; ; MACsource; MACtarget; IPsource; count
A packet is originating from outside subnet, but is not using the MAC of a registered gateway.

PACKET_IN_AUTOCONFIGURE_NETWORK; ; MACSource
a packet is originating from the autoconfigure network (169.254.0.0/16): the machine did not receive an expected DHCP reply.

ERR
Used when an unexpected error occurs. arphound is very likely to exit after one of those.

 

FILES

/etc/arphound.conf

 

SEE ALSO

arphound.conf(5) , arp(8)

 

AUTHOR

Matthieu Nottale <matthieu@nottale.net>

Informations about arphound development can be found at http://www.nottale.net/

 

BUGS

No known bugs to arphound have been reported.

Please reports any bug to the author.


 

Index

NAME
SYNOPSIS
DESCRIPTION
OPTIONS
LOG OUTPUT
FILES
SEE ALSO
AUTHOR
BUGS

This document was created by man2html, using the manual pages.
Time: 17:36:41 GMT, October 27, 2003