Arpwatch flip flop and ethernet changes

Forums

Offline

Arpwatch flip flop and ethernet changes

Resolved

0 votes

Over the past week, I've started getting a lot of emails from arpwatch. I'm not sure how to figure out what has changed that this is now happening.

Typically I'm getting the following messages but also a few "changed ethernet address". The "changed ethernet" are not very often though.

flip flops



            hostname: <unknown>

          ip address: 0.0.0.0

    ethernet address: AA:AA:AA:AA:AA:AA

     ethernet vendor: <unknown>

old ethernet address: BB:BB:BB:BB:BB:BB

 old ethernet vendor: <unknown>

           timestamp: Wednesday, May 22, 2019 18:14:11 -0400

  previous timestamp: Wednesday, May 22, 2019 17:57:12 -0400

               delta: 16 minutes



            hostname: <unknown>

          ip address: 0.0.0.0

    ethernet address: AA:AA:AA:AA:AA:AA

     ethernet vendor: <unknown>

old ethernet address: CC:CC:CC:CC:CC:CC

 old ethernet vendor: <unknown>

           timestamp: Wednesday, May 22, 2019 18:46:06 -0400

  previous timestamp: Wednesday, May 22, 2019 18:31:35 -0400

               delta: 14 minutes

Interestingly enough this is only happening with an replacement wifi router in assess mode, one Macbook, an iMac and 3 iphones. They are all using the WIFI network segment to connect. But we have other devices (Android, Chromecast) using WIFI on our network and they aren't having this problem. There are no issues on the wired segment of the network.

The access point has the same settings as the one it replaced. It had no problems like this before. I'm not 100% sure if this started happening after the replacement router was installed or if it started when arpwatch was updated in the 7.5 upgrade. The earliest arpwatch emails are from May 15th.

I've done a bunch of Googling and can't find anything relevant to my network or situation that might cause this. I am wondering if the Access Point is running a DHCP server despite it being disabled but I don't know how to check.

I would appreciate any suggestions on how to debug as the 20+ emails per day from arpwatch are getting very tedious.

Thanks in advance.

In Other Network Topics

Thursday, May 23 2019, 12:36 AM

Share this post:

Responses (5)

Accepted Answer
nuke

Offline
Thursday, May 30 2019, 11:36 PM - #Permalink
Resolved

0 votes

Thank you all for your help.

I thought I should give you an update.

Given some of the posts here and found through Google, I decided to try to rule out the replacement Access Point. I exchanged the new with the old Access Point to see if that might fix things.

As of the past 4 days, I've only had 1 changed ethernet connection and 1 flip flop. So I'm leaning towards the Access Point being the culprit.

I've contacted the Access Point supplier to see if by chance the box is sending out DHCP connections even when it is supposed to be turned off.

Will report back as I learn more.
The reply is currently minimized Show
Accepted Answer
Eric Anderson

Offline
Sunday, May 26 2019, 03:48 AM - #Permalink
Resolved

0 votes

i've seen this too, and decided not to worry about it.
The reply is currently minimized Show
Accepted Answer
Nick Howitt

Offline
Friday, May 24 2019, 07:35 AM - #Permalink
Resolved

0 votes

Lots of ways of telling your LAN interfaces - IP Settings in the webconfig, "ps aux | grep arpwatch", "grep IF /etc/clearos/network.conf" and ignore the EXTIF, or, flashier, "ls /etc/systemd/system/multi-user.target.wants/arpwatch*"

All you can do is play with the options. In the past I tried using -n to get rid of the 0.0.0.0 messages but it didn't work. If you have two separate LANIF's, then arpwatch should not need the -n.

Personally I am not sure, really, what arpwatch brings to the table.
The reply is currently minimized Show
Accepted Answer
nuke

Offline
Friday, May 24 2019, 12:52 AM - #Permalink
Resolved

0 votes

Thank you Nick. Appreciate your help as always!

Is there a way to find what the "your_LAN_interface" is being used from the command?

systemctl restart arpwatch@your_LAN_interface

Before I mess with the command, I should know what "your_LAN_interface" is being executed in the default state.

As I have 2 network segments perhaps I need to add the second segment using the -n option?? Maybe the default is our wired segment but not the wifi segment?

In the man for arpwatch. It says:

The -n flag specifies additional local networks. This can be useful to avoid "bogon" warnings when there is more than one network running on the same wire. If the optional width is not specified, the default netmask for the network's class is used.

I would like to keep arpwatch sending info when it really should and if I turn of the emails then I won't get something when I really should look at it. So I'd really like to continue to try to figure out why this is happening.

Thanks again.
The reply is currently minimized Show
Accepted Answer
Nick Howitt

Offline
Thursday, May 23 2019, 07:26 AM - #Permalink
Resolved

0 votes

Last week, app-network-map was updated to add a couple of filters to /var/log/messages. It also added a "-N" to the OPTIONS line in /etc/sysconfig/arpwatch. This should just stop arpwatch logging bogon messages. Neither of these should have had any affect. The log filters could not have affected the e-mails but I guess the -N perhaps could. The other thing which could is if you recently aliased root to yourself in the mail system.

You can try removing the -N but to restart arpwatch you have to do it by the LAN interface with:
systemctl restart arpwatch@your_LAN_interface
It would be interesting to know if it does anything to fix the problem

The other thing to do is edit the OPTIONS line in /etc/sysconfig/arpwatch and remove the "-s 'root (Arpwatch)'" and change the "-e root" to "-e -" then restart arpwatch. This will stop arpwatch from sending e-mails (which I changed years ago). My options line looks like:
OPTIONS="-u arpwatch -e - -N"
The reply is currently minimized Show