[techtalk] Arpwatch

[Laurel Fan]

Excerpts from linuxchix: 13-Nov-99 Re: [techtalk] Arpwatch by "Norma
Ford"@ci.casa-gra 
> At one point I had accidently ran arpwatch on one of our linux rh6
boxes and I
>  was able to see ipaddress with the host name
> I'm not sure how I even got to this point.
> Well know I have another linux box that does dns host name resolution
internal
>  to our network and I want to make sure I have no duplicates or ip
addresses w
> ithout a host name. We don't have dhcp enabled so I have to keep track
of each
>  address for auditing purposes:-(
> Hope this explained it a little better.

Ok, I think I know what you're talking about.

You probably don't want to use arpwatch.  Arpwatch is for watching arp[1].

To check what ipaddr goes with what hostname or vice versa, use the
host, dig, or nslookup commands.  Suppose you have a list of ip
addresses, you could look up the hostname for each, then look for
duplicates or blank entries.  If you've got a lot of ips you need to do
this for, you can write a script.

btw, is there an reason you can't just make sure the config on your
nameserver is correct?




[1] arp is address resolution protocol.  On an ethernet network, arp
translates an ip address to an ethernet hardware address.  It will
be the hwaddr of the target machine, or if it's not on the network,
the appropriate router or gateway.  Basically, arp broadcasts an
arp request to the ethernet network, asking for an ipaddr->hwaddr
translation, then caches it for further use.  Since it broadcasts,
any computer on the network can watch everyone else's.  arpwatch-ing is
somewhat useful because by looking at what ip addresses someone
wants translated, you can see what computers they're connecting
to, and therefore what web/ftp sites they're visiting, where they
have accounts, etc.  Sort of like packet sniffing, but it has the
disadvantage of not giving you as much information, and the advantge
of working on switched ethernet. 

************
techtalk at linuxchix.org   http://www.linuxchix.org