ARPHOUND

Section: Maintenance Commands (8)
Updated: Last change: 21 October 2003
Index Return to Main Contents

NAME

ArpHound - Description

SYNOPSIS

arphound [OPTIONS]

DESCRIPTION

arphound is a tools that listens to all traffic on a network interface and reports IP/MAC address pair as well as events such as IP conflict, IP changes, IP addresses with no RDNS, various ARP spoofing and packets not using the expected gateway.

OPTIONS

-c file

use specified configuration file instead of default one

-f file

also log to file

-ns

do not log to syslog

-nd

do not run as a daemon

-ndisc

do not log discovery of new IP/MAC pairs when there is neither conflict nor IP change

-nout

do not log ARP requests from IP outside subnet

-ndns

do not log IP with no RDNS

-ch x

minimum interval in seconds between two logs entry when a MAC uses multiples IP

-co x

min log interval between ip conflicts notification

-tr x

min log interval between two notifications of any trouble involving the same IP/MAC addresses

LOG OUTPUT

The output format is standardised to ease parsing. Each line starts with a timestamp followed by a string identifying the log event followed by its parameters, separated by a semicolon. A '!' in the first parameter means the event concerns IP or MAC defined as critical in the configuration file. A 'c' in the first parameter means the event is a continuation of a previous event. The last parameter of most events, named count here, represents the number of time a packet triggering the event was seen since last log.

DISCOVER; IP; MAC

A new entry has been found. MAC is in the xx:xx:xx:xx:xx:xx form.

DNS; ; IP; MAC

Specified MAC does not have any DNS entry.

DHCPREQUEST; ; MAC

DHCPREPLY; ; MAC

Specified MAC emitted a DHCP request/reply.

DHCPSERVER; ; MAC

A DHCP reply is not coming from a known DHCP server.

IPCHANGE; ; MAC; count; fastest; LastIP; FormerIP; OtherIPs...

A MAC address has had several IPs, count beeing the number of IP change occurence fastest beeing the shortest period between two changes.

IPCONFLICT; ; IP; MAC1; MAC2; ...

Several MAC addresses have the same IP. Only the MAC addresses seen using the IP since last log event are displayed.

ARPREQUEST_OUT; ; MAC; IP; count

ARPREPLY_OUT; ; MAC; IP; count

An ARP request or reply for an IP outside subnet.

ARPREQUEST_SOURCE_MISMATCH; ; MACsource; MACtobetold; IP; count

An ARP request was emmited by MACsource for IP, but with the 'reply-to' field set to MACtobetold.

ARPREPLY_SOURCE_MISMATCH; ; MACsource; MACanwsered; IP; count

An ARP reply emited by MACsource tells that IP belongs to MACanswered, which is different from MACsource.

ARPREPLY_BROADCAST; ; MACsource; MACreplyed; IP; count

An ARP reply telling that IP belongs to MACreplyed was broadcasted. This is very likely a gratuitous ARP, which is another word for spoofing.

PACKET_DESTINATION_MISMATCH; ; MACsource; MACtarget; IPtarget; count

A packet is destinated outside subnet but is not using the MAC of a registered gateway.

PACKET_SOURCE_MISMATCH; ; MACsource; MACtarget; IPsource; count

A packet is originating from outside subnet, but is not using the MAC of a registered gateway.

PACKET_IN_AUTOCONFIGURE_NETWORK; ; MACSource

a packet is originating from the autoconfigure network (169.254.0.0/16): the machine did not receive an expected DHCP reply.

ERR

Used when an unexpected error occurs. arphound is very likely to exit after one of those.

FILES

/etc/arphound.conf

AUTHOR

Matthieu Nottale <matthieu@nottale.net>

Informations about arphound development can be found at http://www.nottale.net/

BUGS

No known bugs to arphound have been reported.

Please reports any bug to the author.

This document was created by man2html, using the manual pages.
Time: 17:36:41 GMT, October 27, 2003