On Mon, May 20, 2002 at 06:44:24PM +0100, Antony Stone wrote: > On Monday 20 May 2002 6:21 pm, Ramin Alidousti wrote: > > > How does arpwatch work? > > arpwatch is basically a packet sniffer for a specific protocol - arp. > > It simply listens on the network to arp requests and responses, and as you > surmise, builds up a table of MAC address, IP address and timestamp. > > As far as I know, it builds up the information only from arp responses (ie it > doesn't do anything with a request which does not get responded to), and it > keeps the timestamp data so it can add a bit more to its logfile entries & > alerts to let you know if a machine which has been quiet for a few days, or > weeks, or months, suddenly comes back on the scene again. > > It regards 'spoofing' as a MAC address claiming to have a different IP > address from the one it had last time, or claiming to have an IP address > which arpwatch thinks belongs to some other MAC address.
And it does this by what? By sniffing the arp replies? If so, that's exactly my point. There will be no arp reply to the spoofed IP's... Ramin > > You can over-ride its behaviour in this respect if you have some machines > which really do have multiple IPs for a single MAC. > > > Antony.
