Section: Maintenance Commands (8)
Updated: Last change: 21 October 2003
Return to Main Contents
ArpHound - Description
is a tools that listens to all traffic on a network interface and reports IP/MAC address pair as well as events such as IP conflict, IP changes, IP addresses with no RDNS, various ARP spoofing and packets not using the expected gateway.
- -c file
use specified configuration file instead of default one
- -f file
also log to file
do not log to syslog
do not run as a daemon
do not log discovery of new IP/MAC pairs when there is neither conflict nor IP change
do not log ARP requests from IP outside subnet
do not log IP with no RDNS
- -ch x
minimum interval in seconds between two logs entry when a MAC uses multiples IP
- -co x
min log interval between ip conflicts notification
- -tr x
min log interval between two notifications of any trouble involving the same IP/MAC addresses
The output format is standardised to ease parsing.
Each line starts with a timestamp followed by a string identifying the log event followed by its parameters, separated by a semicolon.
A '!' in the first parameter means the event concerns IP or MAC defined as critical in the configuration file.
A 'c' in the first parameter means the event is a continuation of a previous event.
The last parameter of most events, named
count here, represents the number of time a packet triggering the event was seen since last log.
- DISCOVER; IP; MAC
A new entry has been found. MAC is in the xx:xx:xx:xx:xx:xx form.
- DNS; ; IP; MAC
Specified MAC does not have any DNS entry.
- DHCPREQUEST; ; MAC
- DHCPREPLY; ; MAC
Specified MAC emitted a DHCP request/reply.
- DHCPSERVER; ; MAC
A DHCP reply is not coming from a known DHCP server.
- IPCHANGE; ; MAC; count; fastest; LastIP; FormerIP; OtherIPs...
A MAC address has had several IPs,
count beeing the number of IP change occurence
fastest beeing the shortest period between two changes.
- IPCONFLICT; ; IP; MAC1; MAC2; ...
Several MAC addresses have the same IP.
Only the MAC addresses seen using the IP since last log event are displayed.
- ARPREQUEST_OUT; ; MAC; IP; count
- ARPREPLY_OUT; ; MAC; IP; count
An ARP request or reply for an IP outside subnet.
- ARPREQUEST_SOURCE_MISMATCH; ; MACsource; MACtobetold; IP; count
An ARP request was emmited by MACsource for IP, but with the 'reply-to' field set to MACtobetold.
- ARPREPLY_SOURCE_MISMATCH; ; MACsource; MACanwsered; IP; count
An ARP reply emited by MACsource tells that IP belongs to MACanswered, which is different from MACsource.
- ARPREPLY_BROADCAST; ; MACsource; MACreplyed; IP; count
An ARP reply telling that IP belongs to MACreplyed was broadcasted. This is very likely a gratuitous ARP, which is another word for spoofing.
- PACKET_DESTINATION_MISMATCH; ; MACsource; MACtarget; IPtarget; count
A packet is destinated outside subnet but is not using the MAC of a registered gateway.
- PACKET_SOURCE_MISMATCH; ; MACsource; MACtarget; IPsource; count
A packet is originating from outside subnet, but is not using the MAC of a registered gateway.
- PACKET_IN_AUTOCONFIGURE_NETWORK; ; MACSource
a packet is originating from the autoconfigure network (169.254.0.0/16): the machine did not receive an expected DHCP reply.
Used when an unexpected error occurs.
is very likely to exit after one of those.
arphound.conf(5) , arp(8)
Matthieu Nottale <firstname.lastname@example.org>
development can be found at
No known bugs to
have been reported.
Please reports any bug to the author.
- LOG OUTPUT
- SEE ALSO
This document was created by
using the manual pages.
Time: 17:36:41 GMT, October 27, 2003