Shulou(Shulou.com)06/01 Report--

This article mainly explains "the usage of the Linux basic command arpwatch". Interested friends may wish to have a look. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn the usage of the basic Linux command arpwatch.

Arpwatch

The arpwatch instruction can listen for the correspondence between the network device and the ip address and send the discovered information to the system log "/ var/log/message".

The scope of this command: RedHat, RHEL, Ubuntu, CentOS, SUSE, openSUSE, Fedora.

1. Grammar

Arpwatch [options]

2. List of options

Option

Description

-d

Debug mode is turned on, and debugging information is sent to the terminal.

-f file

Sets the storage file for arp records. The default is arp.dat. Before you can start using this directive, you must create an empty arp.dat

-I interface

Specify network interfac

-n

Describe the local network

-N

-N flag forbids reporting

-r

Read the arp record from the specified file

-e

Specify the target user to send mail. The default is root.

S

Specify the source user to send mail, default root

3. Report information

information

Description

New activity

This pair of ethernet/ip addresses has been used for the first time for six months or more.

New station

This ip address has never used this Ethernet address before.

Flip flop

The Ethernet address has changed from the most recently seen address to the second most recently seen address. (if the old or new Ethernet address is a DECnet address and less than 24 hours, the e-mail version of the report will be cancelled.)

Changed ethernet address

The host switches to the new Ethernet address.

4. System log information

information

Description

Ethernet broadcast

The mac Ethernet address of the host is the broadcast address.

Ip broadcast

The IP address of the host is the broadcast address.

Bogon

The source ip address is not the local address of the local subnet.

Ethernet broadcast

The source mac or arp Ethernet address is either 1 or all zero.

Ethernet mismatch

The source Mac Ethernet address does not match the address in the ARP packet.

Reused old ethernet address

The Ethernet address has changed from the last seen address to the third (or greater) least recently seen address. (this is similar to a trigger.)

Suppressed DECnet flip flop

"flip flop" reporting is prohibited because one of the two addresses is a DECnet address.

5. Examples

Monitor arp messages

[root@localhost ~] # arpwatch-I eth0 / / listens to the network card eht0

[root@localhost ~] # tail-n 3 / var/log/messages / / View recent log information

Sep 30 08:29:59 localhost arpwatch: listening on eth0

Sep 30 08:30:01 localhost arpwatch: new station 192.168.1.1 c8:41:29:f4:4a:20

Sep 30 08:30:12 localhost arpwatch: new station 192.168.1.9 8:0:27:14:33:57

You have new mail in / var/spool/mail/root

At this point, I believe you have a deeper understanding of "the use of the Linux basic command arpwatch". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.