arphound(8) - Linux man page

Name

ArpHound - Description

Synopsis

arphound [OPTIONS]

Description

arphound is a tools that listens to all traffic on a network interface and reports IP/MAC address pair as well as events such as IP conflict, IP changes, IP addresses with no RDNS, various ARP spoofing and packets not using the expected gateway.

Options

-c file

use specified configuration

file instead of default one

-f file

also log to file

-ns

do not log to

syslog

-nd

do not run as a daemon

-ndisc

do not log discovery of new IP/MAC

pairs when there is neither conflict nor IP change

-nout

do not log ARP

requests from IP outside subnet

-ndns

do not log IP with no RDNS

-ch x

minimum interval in seconds between two logs entry when a MAC uses multiples

IP

-co x

min log interval between ip conflicts notification

-tr x

min log

interval between two notifications of any trouble involving the same IP/MAC

addresses

Log Output

The output format is standardised to ease parsing. Each line starts with a timestamp followed by a string identifying the log event followed by its parameters, separated by a semicolon. A '!' in the first parameter means the event concerns IP or MAC defined as critical in the configuration file. A 'c' in the first parameter means the event is a continuation of a previous event. The last parameter of most events, named count here, represents the number of time a packet triggering the event was seen since last log.

DISCOVER; IP; MAC

A new entry has been found. MAC is in the xx:xx:xx:xx:xx:xx form.

DNS; ; IP; MAC

Specified MAC does not have any DNS entry.

DHCPREQUEST; ; MAC

DHCPREPLY; ; MAC

Specified MAC emitted a DHCP request/reply.

DHCPSERVER; ; MAC

A DHCP reply is not coming from a known DHCP server.

IPCHANGE; ; MAC; count; fastest; LastIP; FormerIP; OtherIPs...

A MAC address has had several IPs, count beeing the number of IP change occurence fastest beeing the shortest period between two changes.

IPCONFLICT; ; IP; MAC1; MAC2; ...

Several MAC addresses have the same IP. Only the MAC addresses seen using the IP since last log event are displayed.

ARPREQUEST_OUT; ; MAC; IP; count

ARPREPLY_OUT; ; MAC; IP; count

An ARP request or reply for an IP outside subnet.

ARPREQUEST_SOURCE_MISMATCH; ; MACsource; MACtobetold; IP; count

An ARP request was emmited by MACsource for IP, but with the 'reply-to' field set to MACtobetold.

ARPREPLY_SOURCE_MISMATCH; ; MACsource; MACanwsered; IP; count

An ARP reply emited by MACsource tells that IP belongs to MACanswered, which is different from MACsource.

ARPREPLY_BROADCAST; ; MACsource; MACreplyed; IP; count

An ARP reply telling that IP belongs to MACreplyed was broadcasted. This is very likely a gratuitous ARP, which is another word for spoofing.

PACKET_DESTINATION_MISMATCH; ; MACsource; MACtarget; IPtarget; count

A packet is destinated outside subnet but is not using the MAC of a registered gateway.

PACKET_SOURCE_MISMATCH; ; MACsource; MACtarget; IPsource; count

A packet is originating from outside subnet, but is not using the MAC of a registered gateway.

PACKET_IN_AUTOCONFIGURE_NETWORK; ; MACSource

a packet is originating from the autoconfigure network (169.254.0.0/16): the machine did not receive an expected DHCP reply.

ERR

Used when an unexpected error occurs. arphound is very likely to exit after one of those.

Files

/etc/arphound.conf

See Also

arphound.conf(5) , arp(8)

Author

Matthieu Nottale <matthieu@nottale.net>

Informations about arphound development can be found at http://www.nottale.net/

Bugs

No known bugs to arphound have been reported.

Please reports any bug to the author.

site search Google Custom Search

Library

online dictionary

linux docs

linux man pages

page load time

Toys

world sunlight

moon phase

trace explorer