try arpwatch, this does exactly what you are looking for... it stores all detected MAC/IP number combinations in a database and reports new entries, changes, etc using email. And it is open source and have it running on linux and FreeBSD. I have good expiriences with arpwatch..
This does not protect you from people who reprogram their ehternet card and set it's MAC-address to know one and use it's corresponding IP address. See also: http://online.securityfocus.com/tools/142 You could also check on the www-proxy server for "unsupported" versions and brands of browsers. Just to give you some idears. Cheers, Renee - - - - - - - - Renee A. Teunissen PTS Software bv, Meerweg 7, 1405BA Bussum, NL. T.+31-(0)35-6926969, M.+31-(0)6-22778313, http://www.pts.nl, <first_name>@pts.nl personal link page: http://wittenburg10c.nl/db/dest/links.html ----- Original Message ----- From: "Ian Lyte" <[EMAIL PROTECTED]> To: "Johan Denoyer" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Friday, November 22, 2002 10:59 AM Subject: RE: IP to MAC mapping > > Hi, > > If you use ettercap with the -O option it passively scans the network for > all ip addresses and MAC addresses that are using it. > > <from ettercap.pdf> > ?O, ??passive > Collect infos in passive mode. This method WILL NOT SEND ANY packet on the > wire. It will > put the interface in promiscuous mode and look for packets passing through > it. every interesting > packet (SYN or SYN+ACK) is analyzed and used to make a complete map of the > LAN. > The infos collected are: IP and MAC of the hosts, type of Operating System > (passive OS fingerprint), > network adapter vendor and running services. (for a technical description > refer to > README) In the list are show even other infos: "GW" if the host is a > GateWay, "NL" if the IP is > not belonging to the LAN and "RT" if the host act as a router. > Useful if you want to make a start up host list in complete passive mode, > when you are satisfied of > the collected infos, you can convert it to the startup host list by simply > press 'C', and then work as > usual. > > Ian > > -----Original Message----- > From: Johan Denoyer [mailto:[EMAIL PROTECTED]] > Sent: 20 November 2002 17:50 > To: [EMAIL PROTECTED] > Subject: IP to MAC mapping > > > Hi, > > we are currently looking into illegal usage of a protected network. We are > managing a class C network, and we would like to be able to detect illegal > usage of the network by finding the MAC address of the ip address used and > then checking it against a database. > > Now I would like to find a software or a perl scrip that would do the work. > (The budget that we have is 0$, so freeware is likely to be the solution) > > I have tried doing searches using google without any luck. If anyone uses > such software, please tell me which one, and where I can find it. > > Thanks, > > > Salutations, > > Johan Denoyer > [EMAIL PROTECTED] > Digital Connexion > http://www.digital-connexion.info > PGP : 0x57A6727B > > > > >
