1. OVERVIEW Arpcomb is an another attempt to monitor 'hackers' who use unauthorized IP addresses on Ethernet networks, this time by managing a database holding time:IP:mac triplets. The database has to be fed regularly (eg. by a cron job) with the current ARP table - which can of course be acquired locally or remotely. Arpcomb will let you search the database and see periods when a specific MAC or IP was present in the ARP table, see which IP or MAC addresses was it utilizing and search for MAC and IP conflicts. The package also includes the 'modcomb' utility, which manages a similar, but simpler time:CPE-MAC:modem-MAC table; however its intended audience seems to be limited to cable modem network operators. 2. REQUIREMENTS * gcc, libc * an *IX system arpcomb is not at all portable - it was tested only on several setups: * Linux (shaerrawedd 2.4.19-xfs #7 Fri Oct 4 18:18:38 CEST 2002 i686 unknown) * FreeBSD (venom 4.6.2-RELEASE-p10 FreeBSD 4.6.2-RELEASE-p10 #0: Tue Mar 25 12:59:45 CET 2003 root@venom:/usr/src/sys/compile/VENOM-3 i386) * OpenBSD (pantera 3.3 PANTERA#0 i386) * SunOS (atlantis 5.9 Generic_112233-04 sun4u sparc SUNW,Ultra-5_10) 3. INSTALLATION * edit Makefile and uncomment the right setting for your OS * do a 'make' * copy the 'arpcomb' and 'modcomb' binaries into a desired place. 4. USAGE (read this and see below for information on modcomb) arpcomb provides five operation modes: * adding entries to the database * querying the database for a particular MAC or IP * search for IP conflicts * search for MAC conflicts * list every IP => MAC mappings present in the database ADDING ENTRIES This will propably occur in a script called as a cron job (see sample.sh) # arpcomb -a filename [-t D] database.db Adds IP => MAC mapping information from filename to database.db with an optional timestamp D. If the timestamp is not specified, the current date is being used. The file 'filename' should contain ARP table entries, one by line, in a format: IP:mac, eg.: 1.2.3.4:aa:bb:cc:dd:ee:ff 3.4.5.6:dd:ee:ff:00:aa:bb See below for accepted time/date and MAC address notations. QUERYING THE DATABASE # arpcomb [-vcrM] [-s S] [-e E] [-x ig/mask [-x ig/mask ...]] -q MAC database.db # arpcomb [-vcrM] [-s S] [-e E] [-x ig/mask [-x ig/mask ...]] -q IP database.db This shows all entries in database.db that have something to do with IP address IP or MAC address MAC. If -s is specified, no entries older than S ('start date') will be loaded, similarly, if -e is specified, no entries newer than E ('end date') will be loaded. -x allows you to ignore a specific MAC or IP address group (eg. -x 00:10:95:00:00:00/ff:ff:ff:00:00:00 will make arpcomb ignore every MAC beginning with 00:10:95, -x 10.1.0.0/16 will cause that every IP address beginning with 10.1. will be ignored, etc.). The other options mean: -c Show MACs in the 'Cisco' notation (aabb.ccdd.eeff) -v Show run-time statistics (time taken, memory used) -r Show only boundary dates, don't be so verbose -M Show the device manufacturer name near every MAC address SEARCHING FOR IP AND MAC CONFLICTS # arpcomb [-vcrM] [-s S] [-e E] [-x ig/mask [-x ig/mask ...]] -m database.db Prints details on every MAC that was utilizing several IP addresses, including these addresses and periods when they were used. # arpcomb [-vcrM] [-s S] [-e E] [-x ig/mask [-x ig/mask ...]] -i [-W] [-w] database.db Prints details on every IP address that was utilized by several MAC addresses. The -w and -W options enable the 'hacker search' mode: -w causes arpcomb to show all IP addresses utilized by a MAC near every MAC that was ever using more than one IP (so you can see the 'legal' IP address of the 'hacker' if he/she(?) was ever using it) -W causes arpcomb not to report IP addresses that were used by MACs that ever utilized only one IP (so you don't see conflicts that were caused by a user that had his NIC replaced) LISTING THE MAPPINGS # arpcomb [-vcM] [-s S] [-e E] [-x ig/mask [-x ig/mask ...]] -l database.db Will list all IP => MAC mappings that were ever passed to arpcomb. 5. EXAMPLES See the script that reads the ARP table on a network monitoring station in my network, "sample.sh" for an example on how to add entries to the database. 6. ACCEPTED DATA NOTATIONS - MAC notations: MAC addresses might be passed in the following notations: - The 'Cisco' notation: 00bb.aadd.ccaa - The 'Standard' notation: 00:bb:aa:dd:cc:aa - The 'Condensed' notation: 00bbaaddccaa - Date notations: timestamps might be passed in the following notations - The 'date-only' notation: 1978-01-01 - The 'date&hour' notation: "1978-01-01 00:01:01" - The 'offset' notation: '-8h', '-32hours', '-1day', '-5days', '-4weeks', '-2w', etc. 7. MODCOMB modcomb manages a database of time:CPE-mac:modem-mac entries; its intended audience is quite limited, as such a database is very specific (for DOCSIS cable modem networks, when you want to log who-was-behind-which-modem). The idea is very similar: you feed the database with a cron job (this time, CPE and modem MACs are separated by a space, not a colon, eg: aa:bb:cc:dd:ee:ff aabb.ccdd.eeff ), then you can query it for CPE and modem addresses (-q and -Q respectively). Additionally, it is possible to specify MACs in a 'snmpwalk' notation: 0.128.2.3.4.16 (which is: 00:80:02:03:04:f0). Of course searching for conflicts is impossible (now who'd need that??) 8. AUTHORS, ACKNOWLEDGEMENTS Mateusz 'mteg' Golicz 9. LICENSE The package is licensed on GNU General Public License. See COPYING file. Mateusz 'mteg' Golicz