On Mon, May 20, 2002 at 05:25:14PM +0200, Maciej Soltysiak wrote: > Hi, > > i was wondering is it possible to have: > > NET1 --- ROUTER --- NET2 > / \ > / \ > NET3 NET4 > > > and keep a machine on NET4, that would ask the router of IP/MAC pairs over > SNMP. > > The problem is this, that i have a cisco router, with 4 internal networks, > and if someone does IP spoofing on NET1, with another source from NET1, i > am unable to verify if that was spoofed or not, without having a host in > that NET1 network. > > What would solve my problem whould be an arpwatch like application that > would grab the MAC/IP pairs appearing on the interfaces (say over > SNMP) and keep track of them in a database, like arpwatch.
How does arpwatch work? And what is the relationship with the spoofed packets? Does arpwatch do exactly as what its name suggests "to watch arps and build a table of MAC<->IP"? If so, how is it going to id the spoofed IP's? AFAICT, a spoofed packet would not get identified _iff_ arpwatch reacts only on arp replies. Or does it have more intelligence, eg, looking at arp requests, in which case these packets include not much information, only "which MAC relates to this IP", for which you'll never receive a reply and which is a partial/incomplete picture of what's happening. Sorry for these questions, but they may be valid... Ramin > > Any solutions for that? > > Thanks, > Regards, > Maciej Soltysiak > >
