Index of /arpcomb
Name Last modified Size Description
![[DIR]](/icons/back.gif)
Parent Directory 27-May-2007 23:43 -
![[TXT]](/icons/text.gif)
CZYTAJ.TO 12-Jul-2003 01:53 6k
![[ ]](/icons/compressed.gif)
arpcomb-0.92.tar.gz 12-Jul-2003 01:54 88k GZIP compressed docume>
1. OVERVIEW
Arpcomb is an another attempt to monitor 'hackers' who use unauthorized IP
addresses on Ethernet networks, this time by managing a database holding
time:IP:mac triplets. The database has to be fed regularly (eg. by a cron job)
with the current ARP table - which can of course be acquired locally or
remotely. Arpcomb will let you search the database and see periods when a
specific MAC or IP was present in the ARP table, see which IP or MAC
addresses was it utilizing and search for MAC and IP conflicts.
The package also includes the 'modcomb' utility, which manages a similar,
but simpler time:CPE-MAC:modem-MAC table; however its intended audience seems to
be limited to cable modem network operators.
2. REQUIREMENTS
* gcc, libc
* an *IX system
arpcomb is not at all portable - it was tested only on several setups:
* Linux (shaerrawedd 2.4.19-xfs #7 Fri Oct 4 18:18:38 CEST 2002 i686 unknown)
* FreeBSD (venom 4.6.2-RELEASE-p10 FreeBSD 4.6.2-RELEASE-p10 #0: Tue Mar 25
12:59:45 CET 2003 root@venom:/usr/src/sys/compile/VENOM-3 i386)
* OpenBSD (pantera 3.3 PANTERA#0 i386)
* SunOS (atlantis 5.9 Generic_112233-04 sun4u sparc SUNW,Ultra-5_10)
3. INSTALLATION
* edit Makefile and uncomment the right setting for your OS
* do a 'make'
* copy the 'arpcomb' and 'modcomb' binaries into a desired place.
4. USAGE
(read this and see below for information on modcomb)
arpcomb provides five operation modes:
* adding entries to the database
* querying the database for a particular MAC or IP
* search for IP conflicts
* search for MAC conflicts
* list every IP => MAC mappings present in the database
ADDING ENTRIES
This will propably occur in a script called as a cron job (see sample.sh)
# arpcomb -a filename [-t D] database.db
Adds IP => MAC mapping information from filename to database.db with
an optional timestamp D. If the timestamp is not specified, the current
date is being used. The file 'filename' should contain ARP table entries,
one by line, in a format: IP:mac, eg.:
1.2.3.4:aa:bb:cc:dd:ee:ff
3.4.5.6:dd:ee:ff:00:aa:bb
See below for accepted time/date and MAC address notations.
QUERYING THE DATABASE
# arpcomb [-vcrM] [-s S] [-e E] [-x ig/mask [-x ig/mask ...]] -q MAC database.db
# arpcomb [-vcrM] [-s S] [-e E] [-x ig/mask [-x ig/mask ...]] -q IP database.db
This shows all entries in database.db that have something to do with
IP address IP or MAC address MAC. If -s is specified, no entries older than
S ('start date') will be loaded, similarly, if -e is specified, no entries
newer than E ('end date') will be loaded. -x allows you to ignore a specific
MAC or IP address group (eg. -x 00:10:95:00:00:00/ff:ff:ff:00:00:00 will
make arpcomb ignore every MAC beginning with 00:10:95, -x 10.1.0.0/16 will
cause that every IP address beginning with 10.1. will be ignored, etc.).
The other options mean:
-c Show MACs in the 'Cisco' notation (aabb.ccdd.eeff)
-v Show run-time statistics (time taken, memory used)
-r Show only boundary dates, don't be so verbose
-M Show the device manufacturer name near every MAC address
SEARCHING FOR IP AND MAC CONFLICTS
# arpcomb [-vcrM] [-s S] [-e E] [-x ig/mask [-x ig/mask ...]] -m database.db
Prints details on every MAC that was utilizing several IP addresses,
including these addresses and periods when they were used.
# arpcomb [-vcrM] [-s S] [-e E] [-x ig/mask [-x ig/mask ...]] -i [-W] [-w] database.db
Prints details on every IP address that was utilized by several MAC
addresses. The -w and -W options enable the 'hacker search' mode:
-w causes arpcomb to show all IP addresses utilized by a MAC
near every MAC that was ever using more than one IP (so you
can see the 'legal' IP address of the 'hacker' if he/she(?) was
ever using it)
-W causes arpcomb not to report IP addresses that were used by
MACs that ever utilized only one IP (so you don't see conflicts
that were caused by a user that had his NIC replaced)
LISTING THE MAPPINGS
# arpcomb [-vcM] [-s S] [-e E] [-x ig/mask [-x ig/mask ...]] -l database.db
Will list all IP => MAC mappings that were ever passed to arpcomb.
5. EXAMPLES
See the script that reads the ARP table on a network monitoring station in
my network, "sample.sh" for an example on how to add entries to the database.
6. ACCEPTED DATA NOTATIONS
- MAC notations: MAC addresses might be passed in the following notations:
- The 'Cisco' notation: 00bb.aadd.ccaa
- The 'Standard' notation: 00:bb:aa:dd:cc:aa
- The 'Condensed' notation: 00bbaaddccaa
- Date notations: timestamps might be passed in the following notations
- The 'date-only' notation: 1978-01-01
- The 'date&hour' notation: "1978-01-01 00:01:01"
- The 'offset' notation: '-8h', '-32hours', '-1day', '-5days', '-4weeks',
'-2w', etc.
7. MODCOMB
modcomb manages a database of time:CPE-mac:modem-mac entries; its intended
audience is quite limited, as such a database is very specific (for DOCSIS cable
modem networks, when you want to log who-was-behind-which-modem). The idea is
very similar: you feed the database with a cron job (this time, CPE and modem
MACs are separated by a space, not a colon, eg:
aa:bb:cc:dd:ee:ff aabb.ccdd.eeff
), then you can query it for CPE and modem addresses (-q <mac> and -Q <mac>
respectively). Additionally, it is possible to specify MACs in a 'snmpwalk'
notation: 0.128.2.3.4.16 (which is: 00:80:02:03:04:f0). Of course searching for
conflicts is impossible (now who'd need that??)
8. AUTHORS, ACKNOWLEDGEMENTS
Mateusz 'mteg' Golicz <mtg@elsat.net.pl>
9. LICENSE
The package is licensed on GNU General Public License. See COPYING file.
Mateusz 'mteg' Golicz <mtg@elsat.net.pl>