> Has someone said arpwatch yet?
> Arpwatch maintains a database of Ethernet MAC addresses seen on the
> network, with their associated IP pairs. Alerts the system administrator
> via e-mail if any change happens, such as new station/activity,
> flip-flops, changed and re-used old addresses.
unless i have this totally wrong, arpwatch is no good to me...
to give you an example lets say i have a 192.168.0.* subnet (except the
real subnet is routable IP space...) which has a linux router sitting
between it and the internet...
the ingress/egress filtering on the router blocks anything not from the
192.168.0.* from leaving and anything not going to the 192.168.0.* from
entering...
i have been seeing packets being dropped on the **internal** interface
that have source IPs like 10.0.0.1 (except, again, they are routable IPs
and not private ones)...
the thing with ARP is that none of the machines are going to respond to
"who has 10.0.0.1" because all of them are configured with 192.168.0.*
IPs...
it would be only in the ethernet frame of the spoofed packets that I would
be able to put spoofed IP and MAC address together...
is there a tool that captures ethernet frames?
later
marty
"I can't buy what I want because it's free. Can't be what they want
because I'm me." - Corduroy, Pearl Jam
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug
