Activate Passive Arp learning

Question

I want to enable my linux-kernel to passively listen (learn) the arp request broadcasted in the lan segment (arp request in the network not destined for me). Is there any configuration available?

What do you want to do with this information? Merely for logging purposes, or do you want to forward with these entries? If you want forwarding, how many differen tsubnets are attached to this ethernet interface? — Mike Pennington, Jun 28 '12 at 12:19
does it matter anyway what I want to do with the information? — , Jun 28 '12 at 12:46
I tried this without VRRP. I connected 3 routers in a lan. now i sent an arp request from the first router to second routers. Now both get each other's mac-address. Meanwhile tcpdump was running on the router3 and I could see that the arp-request went to router3 also but it didn't updated its arp table. I want it to passively listen and learn. All the routers have linux kernel. — , Jun 28 '12 at 13:12
The "why" matters often just as much (if not more) than the "how". All good technical questions should contain what you're trying to achieve, because that allows us to help you best and maybe even offer up some clever alternatives that you hadn't thought of. That's the beauty of collective knowledge. — Dan, Jun 29 '12 at 11:27

score 2 · Answer 1 · answered Jun 29 '12 at 11:14

2

Does the information have to be collected by the kernel? Or do you just need the machine to collect the information?

A good solution for learning the arp mappings in a network is Arpwatch. I run it on RHEL and it works like a champ. It keeps all the mappings in a database file, and can be configured to email on various kinds of events, like a new mapping appearing, or the MAC address mapped to an IP address changing.

answered Jun 29 '12 at 11:14

Bart B

3,457
6
31
42

I'm sorry but arpwatch isn't helpful for the reasons I explained in my answer. – Mike Pennington Jun 30 '12 at 13:59

score 1 · Answer 2 · answered Jun 28 '12 at 14:01

What you want is not what ARP (or ethernet switching) is supposed to do; ethernet switches deliver ARP replies to the address in the ethernet frame, and ARP replies are sent to a unicast mac-address.

If you want to constantly keep the mac-address of a host in your local linux ARP table, then cron a job to send a ping to each host every five minutes. Alternatively, you can manually hard-code the ARP entry in linux (as root):

arp -s 192.168.0.65 00:50:ba:85:85:ca

Activate Passive Arp learning

2 Answers2