Over the past week, I've started getting a lot of emails from arpwatch. I'm not sure how to figure out what has changed that this is now happening.
Typically I'm getting the following messages but also a few "changed ethernet address". The "changed ethernet" are not very often though.
flip flops
Interestingly enough this is only happening with an replacement wifi router in assess mode, one Macbook, an iMac and 3 iphones. They are all using the WIFI network segment to connect. But we have other devices (Android, Chromecast) using WIFI on our network and they aren't having this problem. There are no issues on the wired segment of the network.
The access point has the same settings as the one it replaced. It had no problems like this before. I'm not 100% sure if this started happening after the replacement router was installed or if it started when arpwatch was updated in the 7.5 upgrade. The earliest arpwatch emails are from May 15th.
I've done a bunch of Googling and can't find anything relevant to my network or situation that might cause this. I am wondering if the Access Point is running a DHCP server despite it being disabled but I don't know how to check.
I would appreciate any suggestions on how to debug as the 20+ emails per day from arpwatch are getting very tedious.
Thanks in advance.
Typically I'm getting the following messages but also a few "changed ethernet address". The "changed ethernet" are not very often though.
flip flops
hostname: <unknown>
ip address: 0.0.0.0
ethernet address: AA:AA:AA:AA:AA:AA
ethernet vendor: <unknown>
old ethernet address: BB:BB:BB:BB:BB:BB
old ethernet vendor: <unknown>
timestamp: Wednesday, May 22, 2019 18:14:11 -0400
previous timestamp: Wednesday, May 22, 2019 17:57:12 -0400
delta: 16 minutes
hostname: <unknown>
ip address: 0.0.0.0
ethernet address: AA:AA:AA:AA:AA:AA
ethernet vendor: <unknown>
old ethernet address: CC:CC:CC:CC:CC:CC
old ethernet vendor: <unknown>
timestamp: Wednesday, May 22, 2019 18:46:06 -0400
previous timestamp: Wednesday, May 22, 2019 18:31:35 -0400
delta: 14 minutes
Interestingly enough this is only happening with an replacement wifi router in assess mode, one Macbook, an iMac and 3 iphones. They are all using the WIFI network segment to connect. But we have other devices (Android, Chromecast) using WIFI on our network and they aren't having this problem. There are no issues on the wired segment of the network.
The access point has the same settings as the one it replaced. It had no problems like this before. I'm not 100% sure if this started happening after the replacement router was installed or if it started when arpwatch was updated in the 7.5 upgrade. The earliest arpwatch emails are from May 15th.
I've done a bunch of Googling and can't find anything relevant to my network or situation that might cause this. I am wondering if the Access Point is running a DHCP server despite it being disabled but I don't know how to check.
I would appreciate any suggestions on how to debug as the 20+ emails per day from arpwatch are getting very tedious.
Thanks in advance.
Share this post:
Responses (5)
-
Accepted Answer
Thank you all for your help.
I thought I should give you an update.
Given some of the posts here and found through Google, I decided to try to rule out the replacement Access Point. I exchanged the new with the old Access Point to see if that might fix things.
As of the past 4 days, I've only had 1 changed ethernet connection and 1 flip flop. So I'm leaning towards the Access Point being the culprit.
I've contacted the Access Point supplier to see if by chance the box is sending out DHCP connections even when it is supposed to be turned off.
Will report back as I learn more. -
Accepted Answer
-
Accepted Answer
Lots of ways of telling your LAN interfaces - IP Settings in the webconfig, "ps aux | grep arpwatch", "grep IF /etc/clearos/network.conf" and ignore the EXTIF, or, flashier, "ls /etc/systemd/system/multi-user.target.wants/arpwatch*"
All you can do is play with the options. In the past I tried using -n to get rid of the 0.0.0.0 messages but it didn't work. If you have two separate LANIF's, then arpwatch should not need the -n.
Personally I am not sure, really, what arpwatch brings to the table. -
Accepted Answer
Thank you Nick. Appreciate your help as always!
Is there a way to find what the "your_LAN_interface" is being used from the command?
systemctl restart arpwatch@your_LAN_interface
Before I mess with the command, I should know what "your_LAN_interface" is being executed in the default state.
As I have 2 network segments perhaps I need to add the second segment using the -n option?? Maybe the default is our wired segment but not the wifi segment?
In the man for arpwatch. It says:
The -n flag specifies additional local networks. This can be useful to avoid "bogon" warnings when there is more than one network running on the same wire. If the optional width is not specified, the default netmask for the network's class is used.
I would like to keep arpwatch sending info when it really should and if I turn of the emails then I won't get something when I really should look at it. So I'd really like to continue to try to figure out why this is happening.
Thanks again. -
Accepted Answer
Last week, app-network-map was updated to add a couple of filters to /var/log/messages. It also added a "-N" to the OPTIONS line in /etc/sysconfig/arpwatch. This should just stop arpwatch logging bogon messages. Neither of these should have had any affect. The log filters could not have affected the e-mails but I guess the -N perhaps could. The other thing which could is if you recently aliased root to yourself in the mail system.
You can try removing the -N but to restart arpwatch you have to do it by the LAN interface with:
It would be interesting to know if it does anything to fix the problemsystemctl restart arpwatch@your_LAN_interface
The other thing to do is edit the OPTIONS line in /etc/sysconfig/arpwatch and remove the "-s 'root (Arpwatch)'" and change the "-e root" to "-e -" then restart arpwatch. This will stop arpwatch from sending e-mails (which I changed years ago). My options line looks like:OPTIONS="-u arpwatch -e - -N"
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »