> Maybe this is an opportunity for something as an extension or parallel > to arpwatch, perhaps called spoofwatch, which builds up a similar list > of MAC/IP pairs for arp requests on the network, but then continuously > compares those against all the packets it sees, to check whether > machine 1 with MAC address mac1 and IP address IP1 ever sends out a > packet with IP address IP2 as the source, or alternatively if it ever > sees a packet with a MAC address which doesn't belong to a system on > the network. Now that you mention it Snort can do that, and checks every packet, which is great. It just needs a table of valid MACs/IPs
Unfortunately, here, with over 800 computers, managed via BOOTP on 4 different LANs and cisco routers it would require to set up an additional linux host with all interfaces to all LANs and update the MAC/IP tables every time there is a change to bootptab. Hmm, i think it's a good idea. Now i think it is a great solution, which did not come into my mind. Thanks. > Antony. Maciej
