On Monday 20 May 2002 4:25 pm, Maciej Soltysiak wrote: > Hi, > > i was wondering is it possible to have: > > NET1 --- ROUTER --- NET2 > / \ > / \ > NET3 NET4 > > and keep a machine on NET4, that would ask the router of IP/MAC pairs over > SNMP. > > The problem is this, that i have a cisco router, with 4 internal networks, > and if someone does IP spoofing on NET1, with another source from NET1, i > am unable to verify if that was spoofed or not, without having a host in > that NET1 network. > > What would solve my problem whould be an arpwatch like application that > would grab the MAC/IP pairs appearing on the interfaces (say over > SNMP) and keep track of them in a database, like arpwatch.
Why not run a machine with multiple ethernet cards, one plugged into net1, one into net2, etc, and run arpwatch on it ? Make sure routing is turned off on the machine and it won't attempt to forward anything; in fact if you want to be really sure it won't forward packets onto the wrong networks, make up some special ethernet leads with only the receive pair in place - then the machine cannot possibly send onto the wrong network :-) Antony
