1

Another day, another question !

I am trying to write a script that would monitor my LAN for any new new devices connected to it and if it finds a new device, send me an email.

My test network is a very simple one consisting of just 1 cisco 2900XL switch. So far the script can runs every 2 minutes (cronjob) and finds the new mac address.

How can I get the IP information corresponding to the mac found? This is what I have so far :

  1. Scan scan through the DHCP leases file of the dhcp server to see what IP was assigned to the device (if the device is set to DHCP though)

  2. If my network had a router look through its routing tables for the mac entry, but my setup is a simple one and does not need one.

Also method#1 would fail if the device had a static ip on it.

Any ideas for this ?

thanks
-ankit

ankit
  • 171
  • 4
  • 13

3 Answers3

4

Arpwatch is available and already does what you want. Depending on your distribution, it's easy to install.

Sven
  • 98,649
  • 14
  • 180
  • 226
  • Its a great tool with a long memory. You can check its database to see when a device was last seen. I usually configure it to email me whenever it sees a new device. – BillThor Feb 06 '11 at 17:16
  • @svenW I configured arpwatch with the parameter **eth1 -f /var/lib/arpwatch/arp.dat -n 192.168.4.0/24** but for some reason its still listening on eth0 **output from message log Feb 6 13:17:41 LINUX-GATEWAY arpwatch: listening on eth0** – ankit Feb 06 '11 at 18:20
  • Did you specify `-i eth1`? Because `-i` is the parameter used to specify the interface. – Sven Feb 06 '11 at 18:25
  • followed the guide [here](http://24h.atspace.com/it/security/arpwatch.htm). Even when i add the flag -i (the config file now has the line **-i eth1 -f /var/lib/arpwatch/arp.dat -n 192.168.4.0/24** it still listens on eth0 – ankit Feb 06 '11 at 18:28
  • this is weird .. when i launch the command **arpwatch -i eth1 -f /var/lib/arpwatch/arp.dat -n 192.168.4.0/24** from the shell, arpwatch does listen on eth1 but does not log any output to the file specified. do see stations being discovered from the log output **Feb 6 13:38:42 LINUX-GATEWAY arpwatch: new station 192.168.4.100 0:1e:ec:c4:8f:82** – ankit Feb 06 '11 at 18:40
  • nvm .. looks like it took couple of seconds for it to start writing the output .. working fine now . thanks for the help ! – ankit Feb 06 '11 at 18:48
  • @svenW I just connected a brand new device to my network as a test. My script detected the new mac address in around 20 seconds however its been 10 minutes now and arpwatch has still got no entry for the device. i confirmed the device is getting an ip from my dhcp server and is able to ping the gateway. any ideas as to why its taking so long ? – ankit Feb 06 '11 at 22:33
  • nvm .. i am an idiot. Just realized the arpwatch service was stopped . must have turned it off while playing with it earlier. – ankit Feb 06 '11 at 22:35
  • @svenw Quick question. When and how often is the arpwatch data file cleared ... or never ? – ankit Feb 07 '11 at 03:12
1

Show arp tables:

Linux: $ arp -an
Cisco: >show arp

better use of ICMP and SNMP for device discovery.

alvosu
  • 8,437
  • 25
  • 22
  • ARP did come to mind but isn't it only on demand. What i mean is that when a new device plugs into the cisco switch, then sends a resuest for a DHCP server and get the IP information from it. Till this point since this device has not tried to communicate with my controlling device, there would be no entry in the ARP table in my controlling device. Am i right ? – ankit Feb 06 '11 at 17:09
  • @ankit ARP is done when a device comes online to ensure its address is available. This is how arpwatch works. Without ARP a device can only work in passive mode as no other devices will know where to send it packets. Switches tend not to send any traffic to a port until there is a device does an ARP. – BillThor Feb 06 '11 at 17:22
  • @antil arp table have timeout. after timeout arp entry clean. Better use arpwatch. – alvosu Feb 06 '11 at 18:07
1

Another way which may be useful is to use nmap and scan your entire network. This way you can get all of the devices connected on your network. http://nmap.org/download.html. Just create a script that runs it as a cron job.

gdurham
  • 879
  • 7
  • 10