A tool similar to arpwatch for IPv4/IPv6 and ethernet address pairing monitoring.
Clone or download
Pull request Compare This branch is 9 commits ahead, 21 commits behind fln:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
doc
init_script
scripts
src
COPYING
ChangeLog
INSTALL
Makefile.am
NEWS
README
addrwatch_0.8-1_amd64.deb
bootstrap.sh
configure.ac

README

===========
 addrwatch
===========

This is a tool similar to arpwatch. It main purpose is to monitor network and 
log discovered ethernet/ip pairings.

Main features of addrwatch:

* IPv4 and IPv6 address monitoring
* Monitoring multiple network interfaces with one daemon
* Monitoring of VLAN tagged (802.1Q) packets.
* Output to stdout, plain text file, syslog, sqlite3 db, MySQL db
* IP address usage history preserving output/logging

Addrwatch is extremely useful in networks with IPv6 autoconfiguration 
(RFC4862) enabled. It allows to track IPv6 addresses of hosts using IPv6 
privacy extensions (RFC4941).

The main difference between arpwatch and addrwatch is the format of output
files.

Arpwatch stores only current state of the network ethernet/ip pairings and 
allows to send email notification when a pairing change occurs. This is fine
for small and rather static networks. In arpwatch case all the history of
pairings is saved only in administrators mailbox. When arpwatch is used for
monitoring dozen or more networks it becomes hard to keep track of the historic
address usage information.

Addrwatch do not keep persistent network pairings state but instead logs all 
the events that allow ethernet/ip pairing discovery. For IPv4 it is ARP 
requests, ARP replies and ARP ACD (Address Conflict Detection) packets. For 
IPv6 it uses ICMPv6 Neighbor Discovery and (DAD) Duplicate Address Detection 
packets (Neighbor Solicitations, Neighbor Advertisements).

The output file produced by addrwatch is similar to arpwatch. Example of
addrwatch output file::

 1329486484 eth0 0 00:aa:bb:cc:dd:ee fe80::2aa:bbff:fecc:ddee ND_NS
 1329486485 eth0 0 00:aa:bb:cc:dd:ee 192.168.1.1 ARP_REQ
 1329486485 eth0 0 00:aa:bb:ff:00:11 192.168.1.3 ARP_ACD
 1329486486 eth0 7 00:11:11:11:11:11 fe80::211:11ff:fe11:1111 ND_NS
 1329486487 eth0 7 00:22:22:22:22:22 fe80::222:22ff:fe22:2222 ND_DAD
 1329486488 eth0 7 00:33:33:33:33:33 192.168.2.2 ARP_REQ

For each pairing discovery event addrwatch produce timestamp, interface, 
vlan_tag (untagged packets are marked with 0 vlan_tag), ethernet address, IP 
address and packet type seperated by spaces.

To prevent addrwatch from producing too many duplicate output data in active
networks rate-imiting should be used. Read more in 'Ratelimit' section. 

Installation
============

To compile addrwatch you mus have following shared libraries:

* libpcap
* libevent
* OPTIONAL libsqlite3

To compile addrwatch with sqlite3 support::

 $ ./configure --enable-sqlite3
 $ make
 $ make install

To compile addrwatch without sqlite3 support::

 $ ./configure
 $ make
 $ make install

If you do not want to install addrwatch to the system, skip the 'make install' 
step. You can find compiled addrwatch binary in 'src' directory. This is the 
only file needed to run the program and the only file that would otherwise be
installed to the system.

Uninstallation
==============

If you have used 'make install' to install addrwatch to a system you can remove
with command::

 $ make uninstall

In the sources directory.

If you have already deleted the addrwatch sources, you can manually remove
addrwatch from the system with command::

 $ rm /usr/local/bin/addrwatch
 $ rm /usr/local/share/man/man8/addrwatch.8

If you have specified --prefix argument to configure script substitute 
/usr/local with the prefix path used.

Usage
=====

To simply try out addrwatch start ir without any arguments::

 $ addrwatch

When started like this addrwatch opens first non loopback interface and start
logging event to the console without writing anything to disk. All events
are printed to stdout, debug, warning, and err messages are sent to syslog and
printed to stderr.

If you get error message:
addrwatch: ERR: No suitable interfaces found!

It usually means you started addrwatch as normal user and do not have sufficient
privileges to start sniffing on network interface. You should start addrwatch as
root::

 $ sudo addrwatch

You can specify which network interface or interfaces should be monitored by
passing interface names as arguments. For example::

 $ addrwatch eth0 tap0

To find out about more usage options::

 $ addrwatch --help

Ratelimiting
============

If used without ratelimiting addrwatch reports etherment/ip pairing everytime it
gets usable ARP or IPv6 ND packet. In actively used networks it generates many
duplicate pairings especially for routers and servers.

Ratelimiting option '-r NUM' or '--ratelimit=NUM' surpress output of duplicate
pairings for at least NUM seconds. In other words if addrwatch have discovered 
some pairing (mac,ip) it will not report (mac,ip) again unless NUM seconds have
passed.

There is one exception to this rule to track ethernet address changes. If
addrwatch have discovered pairings: (mac1,ip),(mac2,ip),(mac1,ip) within
ratelimit time window it will report all three pairings. By doing so 
ratelimiting will not loose any information about pairing changes.

For example if we have a stream of events:

====  =================  ===========
time  ethernet           ip
====  =================  ===========
0001  11:22:33:44:55:66  192.168.0.1
0015  11:22:33:44:55:66  192.168.0.1
0020  aa:bb:cc:dd:ee:ff  192.168.0.1
0025  aa:bb:cc:dd:ee:ff  192.168.0.1
0030  11:22:33:44:55:66  192.168.0.1
0035  11:22:33:44:55:66  192.168.0.1
0040  aa:bb:cc:dd:ee:ff  192.168.0.1
0065  aa:bb:cc:dd:ee:ff  192.168.0.1
====  =================  ===========

With --ratelimit=100 we would get:

====  =================  ===========
0001  11:22:33:44:55:66  192.168.0.1
0020  aa:bb:cc:dd:ee:ff  192.168.0.1
0030  11:22:33:44:55:66  192.168.0.1
0040  aa:bb:cc:dd:ee:ff  192.168.0.1
====  =================  ===========

Without such exception output would be:

====  =================  ===========
0001  11:22:33:44:55:66  192.168.0.1
0020  aa:bb:cc:dd:ee:ff  192.168.0.1
====  =================  ===========

And we would loose information that address 192.168.0.1 was used by ethernet
address 11:22:33:44:55:66 between 30-40th seconds.

To sum up ratelimiting reduces amount of duplicate information without loosing
any ethernet address change events.

Ratelimit option essentially limits data granularity for IP address usage 
duration information (when and for what time period specific IP address was 
used). On the other hand without ratelimiting at all you would not get very 
precise IP address usage duration information anyways because some hosts might 
use IP address without sending ARP or ND packets as often as others 
do.


If NUM is set to 0, ratelimiting is disabled and all pairing discovery events
are reported.

If NUM is set to -1, ratelimiting is enabled with infinitely long time window
therefore all duplicate pairings are suppressed indefinitely. In this mode 
addrwatch acts almost as arpwatch with the exception that ethernet address 
changes are still reported.

It might look tempting to always use addrwatch with --ratelimit=-1 however by
doing so you loose the information about when and for what period of time 
specific IP address was used. There will be no difference between temporary IPv6 
addressed which was used once and statically configured permanent addresses.

Event types
===========

Ethernet/ip pairing discovery can be triggered by these types of events:

* ARP_REQ - ARP Request packet. Sender hardware address (ARP header) and sender
  protocol address (ARP header) is saved.
* ARP_REP - ARP Reply packet. Sender hardware address (ARP header) and sender
  protocol address (ARP header) is saved.
* ARP_ACD - ARP Address collision detection packet. Sender hardware address
  (ARP header) and target protocol address (ARP header) is saved.
* ND_NS - Neighbor Solicitation packet. Source link-layer address (NS option)
  and source address (IPv6 header) is saved.
* ND_NA - Neighbor Advertisement packet. Target link-layer address (NA option)
  and source address (IPv6 header) is saved.
* ND_DAD - Duplicate Address Detection packet. Source MAC (Ethernet header)
  and target address (NS header) is saved.