network/arpwatch: Added (for tracking IP addresses on a network)

Signed-off-by: dsomero <xgizzmo@slackbuilds.org>
This commit is contained in:
Michal Bialozor 2010-08-14 15:45:24 -04:00 committed by dsomero
parent a80381f7a5
commit 77dd75eaef
17 changed files with 929 additions and 0 deletions

8
network/arpwatch/README Normal file
View file

@ -0,0 +1,8 @@
The arpwatch package contains arpwatch and arpsnmp. Arpwatch and
arpsnmp are both network monitoring tools. Both utilities monitor
Ethernet or FDDI network traffic and build databases of Ethernet/IP
address pairs, and can report certain changes via email.
Install the arpwatch package if you need networking monitoring devices
which will automatically keep track of the IP addresses on your
network.

View file

@ -0,0 +1,26 @@
README.ethercodes
=================
This file contains some specific instructions to complete the
installation of arpwatch on Slackware.
1) After installing the arpwatch package
----------------------------------------
1.1) Change current location to the arpwatch working directory:
# cd /var/lib/arpwatch
1.2) Download newest MAC addresses database:
# wget http://standards.ieee.org/regauth/oui/oui.txt
1.3) Convert it into ethercodes.dat format using script included in arpwatch source:
# ./massagevendor oui.txt > ethercodes.dat
1.4) Remove unnecessary database file:
# rm -f oui.txt
1.5) Congratulations, you have just created ethercodes.dat file with the newest MAC adresses.

View file

@ -0,0 +1,105 @@
#!/bin/sh
# Slackware build script for arpwatch
# Written by Michal Bialozor <bialyy@o2.pl>
PRGNAM=arpwatch
VERSION=2.1a15
BUILD=${BUILD:-1}
TAG=${TAG:-_SBo}
# Automatically determine the architecture we're building on:
if [ -z "$ARCH" ]; then
case "$( uname -m )" in
i?86) ARCH=i486 ;;
arm*) ARCH=arm ;;
# Unless $ARCH is already set, use uname -m for all other archs:
*) ARCH=$( uname -m ) ;;
esac
fi
CWD=$(pwd)
TMP=${TMP:-/tmp/SBo}
PKG=$TMP/package-$PRGNAM
OUTPUT=${OUTPUT:-/tmp}
if [ "$ARCH" = "i486" ]; then
SLKCFLAGS="-O2 -march=i486 -mtune=i686"
LIBDIRSUFFIX=""
elif [ "$ARCH" = "i686" ]; then
SLKCFLAGS="-O2 -march=i686 -mtune=i686"
LIBDIRSUFFIX=""
elif [ "$ARCH" = "x86_64" ]; then
SLKCFLAGS="-O2 -fPIC"
LIBDIRSUFFIX="64"
else
SLKCFLAGS="-O2"
LIBDIRSUFFIX=""
fi
set -e
rm -rf $PKG
mkdir -p $TMP $PKG $OUTPUT
cd $TMP
rm -rf $PRGNAM-$VERSION
tar xvf $CWD/$PRGNAM.tar.gz
cd $PRGNAM-$VERSION
chown -R root:root .
find . \
\( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \
-exec chmod 755 {} \; -o \
\( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \
-exec chmod 644 {} \;
cat $CWD/patches/arpwatch-2.1a4-fhs.patch | patch --verbose -p1 || exit 1
cat $CWD/patches/arpwatch-2.1a10-man.patch | patch --verbose -p1 || exit 1
cat $CWD/patches/arpwatch-drop.patch | patch --verbose -p1 || exit 1
cat $CWD/patches/arpwatch-drop-man.patch | patch --verbose -p0 || exit 1
cat $CWD/patches/arpwatch-addr.patch | patch --verbose -p1 || exit 1
cat $CWD/patches/arpwatch-dir-man.patch | patch --verbose -p1 || exit 1
cat $CWD/patches/arpwatch-scripts.patch | patch --verbose -p1 || exit 1
cat $CWD/patches/arpwatch-2.1a15-nolocalpcap.patch | patch -p1 || exit 1
cat $CWD/patches/arpwatch-2.1a15-bogon.patch | patch -p1 || exit 1
cat $CWD/patches/arpwatch-2.1a15-extraman.patch | patch --verbose -p1 || exit 1
CFLAGS="$SLKCFLAGS" \
CXXFLAGS="$SLKCFLAGS" \
./configure \
--prefix=/usr \
--bindir=/usr/sbin \
--sbindir=/usr/sbin \
--localstatedir=/var \
--mandir=/usr/man \
--build=$ARCH-slackware-linux
mkdir -p $PKG/usr/sbin
mkdir -p $PKG/usr/man/man8
make ARPDIR=/var/lib/$PRGNAM
make install install-man DESTDIR=$PKG
find $PKG | xargs file | grep -e "executable" -e "shared object"| grep ELF | \
cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null || true
find $PKG/usr/man -type f -exec gzip -9 {} \;
for i in $( find $PKG/usr/man -type l ) ; do ln -s $( readlink $i ).gz $i.gz ; rm $i ; done
mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION
cp -a CHANGES INSTALL README $PKG/usr/doc/$PRGNAM-$VERSION
cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild
cat $CWD/README.ethercodes > $PKG/usr/doc/$PRGNAM-$VERSION/README.ethercodes
mkdir -p $PKG/var/lib/$PRGNAM
cp -a arp.dat ethercodes.dat arp2ethers arpfetch massagevendor massagevendor-old \
d.awk duplicates.awk e.awk euppertolower.awk p.awk $PKG/var/lib/$PRGNAM
mkdir -p $PKG/install
cat $CWD/slack-desc > $PKG/install/slack-desc
cat $CWD/doinst.sh > $PKG/install/doinst.sh
mkdir -p $PKG/etc/rc.d
cat $CWD/rc.$PRGNAM > $PKG/etc/rc.d/rc.$PRGNAM.new
cd $PKG
/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.${PKGTYPE:-tgz}

View file

@ -0,0 +1,10 @@
PRGNAM="arpwatch"
VERSION="2.1a15"
HOMEPAGE="http://ee.lbl.gov/"
DOWNLOAD="ftp://ftp.ee.lbl.gov/arpwatch.tar.gz"
MD5SUM="cebfeb99c4a7c2a6cee2564770415fe7"
DOWNLOAD_x86_64=""
MD5SUM_x86_64=""
MAINTAINER="Michal Bialozor"
EMAIL="bialyy@o2.pl"
APPROVED="dsomero"

View file

@ -0,0 +1,20 @@
config() {
NEW="$1"
OLD="$(dirname $NEW)/$(basename $NEW .new)"
# If there's no config file by that name, mv it over:
if [ ! -r $OLD ]; then
mv $NEW $OLD
elif [ "$(cat $OLD | md5sum)" = "$(cat $NEW | md5sum)" ]; then # toss the redundant copy
rm $NEW
fi
# Otherwise, we leave the .new copy for the admin to consider...
}
# Keep same perms on rc.arpwatch.new:
if [ -e etc/rc.d/rc.arpwatch ]; then
cp -a etc/rc.d/rc.arpwatch etc/rc.d/rc.arpwatch.new.incoming
cat etc/rc.d/rc.arpwatch.new > etc/rc.d/rc.arpwatch.new.incoming
mv etc/rc.d/rc.arpwatch.new.incoming etc/rc.d/rc.arpwatch.new
fi
config etc/rc.d/rc.arpwatch.new

View file

@ -0,0 +1,33 @@
diff -uNr arpwatch-2.1a10/arpsnmp.8 arpwatch-2.1a10.man/arpsnmp.8
--- arpwatch-2.1a10/arpsnmp.8 Sun Sep 17 23:34:48 2000
+++ arpwatch-2.1a10.man/arpsnmp.8 Sun Dec 31 02:00:54 2000
@@ -41,7 +41,7 @@
and reports certain changes via email.
.B Arpsnmp
reads information from a file (usually generated by
-.BR snmpwalk (8)).
+.BR snmpwalk (1)).
.LP
The
.B -d
@@ -62,9 +62,9 @@
.LP
.SH "REPORT MESSAGES"
(See the
-.BR arpwatch (1)
+.BR arpwatch (8)
man page for details on the report messages generated by
-.BR arpsnmp (1).)
+.BR arpsnmp (8).)
.SH FILES
.na
.nh
@@ -79,7 +79,7 @@
.na
.nh
.BR arpwatch (8),
-.BR snmpwalk (8),
+.BR snmpwalk (1),
.BR arp (8)
.ad
.hy

View file

@ -0,0 +1,20 @@
--- arpwatch-2.1a15/arpwatch.c.bogon 2007-08-09 13:53:47.000000000 +0200
+++ arpwatch-2.1a15/arpwatch.c 2007-08-09 13:58:17.000000000 +0200
@@ -730,11 +730,12 @@ addnet(register const char *str)
/* XXX hack */
n = ntohl(inet_addr(tstr));
- while ((n & 0xff000000) == 0) {
- n <<= 8;
- if (n == 0)
- return (0);
- }
+ if (n || width != 32)
+ while ((n & 0xff000000) == 0) {
+ n <<= 8;
+ if (n == 0)
+ return (0);
+ }
n = htonl(n);
if (width != 0) {

View file

@ -0,0 +1,173 @@
diff -up arpwatch-2.1a15/Makefile.in.extraman arpwatch-2.1a15/Makefile.in
--- arpwatch-2.1a15/Makefile.in.extraman 2009-12-14 18:01:27.000000000 +0100
+++ arpwatch-2.1a15/Makefile.in 2010-03-30 15:11:30.000000000 +0200
@@ -118,6 +118,10 @@ install-man: force
$(DESTDIR)$(MANDEST)/man8
$(INSTALL) -m 644 $(srcdir)/arpsnmp.8 \
$(DESTDIR)$(MANDEST)/man8
+ $(INSTALL) -m 644 $(srcdir)/arp2ethers.8 \
+ $(DESTDIR)$(MANDEST)/man8
+ $(INSTALL) -m 644 $(srcdir)/massagevendor.8 \
+ $(DESTDIR)$(MANDEST)/man8
lint: $(GENSRC) force
lint -hbxn $(SRC) | \
diff -up arpwatch-2.1a15/arp2ethers.8.extraman arpwatch-2.1a15/arp2ethers.8
--- arpwatch-2.1a15/arp2ethers.8.extraman 2010-03-30 15:12:37.000000000 +0200
+++ arpwatch-2.1a15/arp2ethers.8 2010-03-30 15:53:01.000000000 +0200
@@ -0,0 +1,60 @@
+.TH ARP2ETHERS 8
+.SH NAME
+arp2ethers \- convert arpwatch address database to ethers file format
+.SH SYNOPSIS
+.na
+.B arp2ethers
+.ad
+.SH "DESCRIPTION"
+.B arp2ethers
+converts file
+.IR arp.dat
+in the current directory into
+.BR ethers(5)
+format on
+.IR stdout .
+Usually
+.IR arp.dat
+is an ethernet/ip database file generated by
+.BR arpwatch(8) .
+The arpwatch daemon in Debian will create different
+.IR arp.dat
+depending on its configuration. All of them will be available at
+.IR /var/lib/arpwatch/ .
+.SH FILES
+.na
+.nh
+.nf
+/var/lib/arpwatch - default directory for arp.dat
+arp.dat - ethernet/ip address database
+.ad
+.hy
+.fi
+.SH "SEE ALSO"
+.na
+.nh
+.BR arpwatch (8),
+.BR ethers (5),
+.BR rarp (8),
+.BR arp (8),
+.ad
+.hy
+.SH BUGS
+Please send bug reports to arpwatch@ee.lbl.gov.
+.SH AUTHORS
+.LP
+Original version by Craig Leres of the Lawrence Berkeley
+National Laboratory Network Research Group, University of
+California, Berkeley, CA.
+.LP
+Modified for the Debian Project by Peter Kelemen, with
+additions from Erik Warmelink.
+.LP
+The current version is available via anonymous ftp:
+.LP
+.RS
+.I ftp://ftp.ee.lbl.gov/arpwatch.tar.gz
+.RE
+.LP
+This manual page was contributed by Hugo Graumann.
+
diff -up arpwatch-2.1a15/massagevendor.8.extraman arpwatch-2.1a15/massagevendor.8
--- arpwatch-2.1a15/massagevendor.8.extraman 2010-03-30 15:15:18.000000000 +0200
+++ arpwatch-2.1a15/massagevendor.8 2010-03-30 15:15:18.000000000 +0200
@@ -0,0 +1,91 @@
+.TH MASSAGEVENDOR 8
+.SH NAME
+massagevendor \- convert the ethernet vendor codes master list to arpwatch format
+.SH SYNOPSIS
+.na
+massagevendor
+.I vendorfile
+.SH "DESCRIPTION"
+.B massagevendor
+is a program that converts a text file containing ethernet vendor codes
+into a format suitable for use by
+.B arpwatch(8)
+and
+.B arpsnmp(8).
+The input
+.I vendorfile
+is a master text file containing vendor codes. The output
+is sent to
+.I stdout.
+Each line of the
+.I vendorfile
+is expected to have a six digit hexadecimal vendor code
+followed by spaces followed by the name of the manufacturer.
+.LP
+All ethernet devices have a unique identifier which
+includes a vendor code specifying the manufacturer of the
+device. In normal operation
+.B arpwatch(8)
+and
+.B arpsnmp(8)
+use the file
+.I ethercodes.dat
+to report this vendor code.
+.B massagevendor
+is used to generate the
+.I ethercodes.dat
+file from text files containing these vendor codes.
+.LP
+Locations where an ethernet vendor codes master text file
+can be obtained are given below.
+.SH FILES
+.na
+.nh
+.nf
+/var/lib/arpwatch - default location of the ethernet vendor list
+ethercodes.dat - file containing the list of ethernet vendor codes
+.ad
+.hy
+.fi
+.SH "SEE ALSO"
+.na
+.nh
+.BR arpwatch(8),
+.BR arpsnmp(8)
+.ad
+.hy
+.SH NOTES
+Sources for ethernet vendor codes seen in the wild are
+.LP
+.na
+.nh
+.nf
+.RS
+.I http://map-ne.com/Ethernet/vendor.html
+.I ftp://ftp.cavebear.com/pub/Ethernet.txt
+.I http://www.cavebear.com/CaveBear/Ethernet/vendor.html
+.RE
+.ad
+.hy
+.LP
+Useful for comparison or completeness are the
+ethernet vendor codes as assigned
+by the IEEE which can be found at
+.LP
+.RS
+.I http://standards.ieee.org/regauth/oui/oui.txt
+.RE
+.SH BUGS
+Please send bug reports to arpwatch@ee.lbl.gov.
+.SH AUTHORS
+Craig Leres of the
+Lawrence Berkeley National Laboratory Network Research Group,
+University of California, Berkeley, CA.
+.LP
+The current version is available via anonymous ftp:
+.LP
+.RS
+.I ftp://ftp.ee.lbl.gov/arpwatch.tar.gz
+.RE
+.LP
+This manual page was contributed by Hugo Graumann.

View file

@ -0,0 +1,10 @@
--- arpwatch-2.1a15/configure.nolocalpcap 2006-06-21 22:32:38.000000000 +0200
+++ arpwatch-2.1a15/configure 2006-11-09 15:04:35.000000000 +0100
@@ -4956,6 +4956,7 @@
places=`ls .. | sed -e 's,/$,,' -e 's,^,../,' | \
egrep '/libpcap-[0-9]*\.[0-9]*(\.[0-9]*)?([ab][0-9]*)?$'`
for dir in $places ../libpcap libpcap ; do
+ break
basedir=`echo $dir | sed -e 's/[ab][0-9]*$//'`
if test $lastdir = $basedir ; then
continue;

View file

@ -0,0 +1,20 @@
--- arpwatch-2.1a4/Makefile.in.fhs Sun Jun 18 08:26:28 2000
+++ arpwatch-2.1a4/Makefile.in Sun Jun 18 08:27:21 2000
@@ -109,13 +109,13 @@
$(CC) $(CFLAGS) -o $@ zap.o intoa.o -lutil
install: force
- $(INSTALL) -m 555 -o bin -g bin arpwatch $(DESTDIR)$(BINDEST)
- $(INSTALL) -m 555 -o bin -g bin arpsnmp $(DESTDIR)$(BINDEST)
+ $(INSTALL) -m 755 arpwatch $(DESTDIR)$(BINDEST)
+ $(INSTALL) -m 755 arpsnmp $(DESTDIR)$(BINDEST)
install-man: force
- $(INSTALL) -m 444 -o bin -g bin $(srcdir)/arpwatch.8 \
+ $(INSTALL) -m 644 $(srcdir)/arpwatch.8 \
$(DESTDIR)$(MANDEST)/man8
- $(INSTALL) -m 444 -o bin -g bin $(srcdir)/arpsnmp.8 \
+ $(INSTALL) -m 644 $(srcdir)/arpsnmp.8 \
$(DESTDIR)$(MANDEST)/man8
lint: $(GENSRC) force

View file

@ -0,0 +1,232 @@
--- arpwatch-2.1a11/addresses.h.in.addr Wed Jun 5 00:40:29 1996
+++ arpwatch-2.1a11/addresses.h.in Wed Jul 31 17:39:38 2002
@@ -1,2 +1,4 @@
#define WATCHER "root"
-#define WATCHEE "arpwatch (Arpwatch)"
+#define WATCHEE "root (Arpwatch)"
+extern char *watcher;
+extern char *watchee;
--- arpwatch-2.1a11/arpsnmp.8.addr Sun Sep 17 15:34:48 2000
+++ arpwatch-2.1a11/arpsnmp.8 Fri Aug 2 15:15:31 2002
@@ -30,6 +30,12 @@
] [
.B -f
.I datafile
+] [
+.B -e
+.I username
+] [
+.B -s
+.I username
]
.I file
[
@@ -59,6 +65,27 @@
.I arp.dat
file must be created before the first time you run
.BR arpsnmp .
+.LP
+If the
+.B -e
+flag is used,
+.B arpsnmp
+sends e-mail messages to
+.I username
+rather than the default (root).
+If a single `-' character is given for the username,
+sending of e-mail is suppressed,
+but logging via syslog is still done as usual.
+(This can be useful during initial runs, to collect data
+without being flooded with messages about new stations.)
+.LP
+If the
+.B -s
+flag is used,
+.B arpsnmp
+sends e-mail messages with
+.I username
+as the return address, rather than the default (root).
.LP
.SH "REPORT MESSAGES"
(See the
--- arpwatch-2.1a11/arpsnmp.c.addr Sun Jan 17 19:47:40 1999
+++ arpwatch-2.1a11/arpsnmp.c Fri Aug 2 15:17:16 2002
@@ -59,6 +59,7 @@
#include "file.h"
#include "machdep.h"
#include "util.h"
+#include "addresses.h"
/* Forwards */
int main(int, char **);
@@ -90,7 +91,7 @@
}
opterr = 0;
- while ((op = getopt(argc, argv, "df:")) != EOF)
+ while ((op = getopt(argc, argv, "df:e:s:")) != EOF)
switch (op) {
case 'd':
@@ -105,6 +106,24 @@
arpfile = optarg;
break;
+ case 'e':
+ if ( optarg ) {
+ watcher = strdup(optarg);
+ } else {
+ (void)fprintf(stderr, "%s: Need recipient username/e-mail address after -e\n", prog);
+ usage();
+ }
+ break;
+
+ case 's':
+ if ( optarg ) {
+ watchee = strdup(optarg);
+ } else {
+ (void)fprintf(stderr, "%s: Need sender username/e-mail address after -s\n", prog);
+ usage();
+ }
+ break;
+
default:
usage();
}
@@ -184,6 +203,6 @@
(void)fprintf(stderr, "Version %s\n", version);
(void)fprintf(stderr,
- "usage: %s [-d] [-f datafile] file [...]\n", prog);
+ "usage: %s [-d] [-f datafile] [-e username] [-s username] file [...]\n", prog);
exit(1);
}
--- arpwatch-2.1a11/arpwatch.8.addr Thu Aug 1 13:45:36 2002
+++ arpwatch-2.1a11/arpwatch.8 Thu Aug 1 14:08:05 2002
@@ -46,6 +46,12 @@
] [
.B -u
.I username
+] [
+.B -e
+.I username
+] [
+.B -s
+.I username
]
.ad
.SH DESCRIPTION
@@ -106,6 +112,27 @@
and group ID to that of the primary group of
.IR username .
This is recommended for security reasons.
+.LP
+If the
+.B -e
+flag is used,
+.B arpwatch
+sends e-mail messages to
+.I username
+rather than the default (root).
+If a single `-' character is given for the username,
+sending of e-mail is suppressed,
+but logging via syslog is still done as usual.
+(This can be useful during initial runs, to collect data
+without being flooded with messages about new stations.)
+.LP
+If the
+.B -s
+flag is used,
+.B arpwatch
+sends e-mail messages with
+.I username
+as the return address, rather than the default (root).
.LP
Note that an empty
.I arp.dat
--- arpwatch-2.1a11/arpwatch.c.addr Thu Aug 1 13:45:36 2002
+++ arpwatch-2.1a11/arpwatch.c Thu Aug 1 13:47:35 2002
@@ -78,6 +78,7 @@
#include "machdep.h"
#include "setsignal.h"
#include "util.h"
+#include "addresses.h"
/* Some systems don't define these */
#ifndef ETHERTYPE_REVARP
@@ -190,7 +191,7 @@
interface = NULL;
rfilename = NULL;
pd = NULL;
- while ((op = getopt(argc, argv, "df:i:n:Nr:u:")) != EOF)
+ while ((op = getopt(argc, argv, "df:i:n:Nr:u:e:s:")) != EOF)
switch (op) {
case 'd':
@@ -232,6 +233,26 @@
}
break;
+ case 'e':
+ if ( optarg ) {
+ watcher = strdup(optarg);
+ }
+ else {
+ fprintf(stderr, "%s: Need recipient username/e-mail address after -e\n", prog);
+ usage();
+ }
+ break;
+
+ case 's':
+ if ( optarg ) {
+ watchee = strdup(optarg);
+ }
+ else {
+ fprintf(stderr, "%s: Need sender username/e-mail address after -s\n", prog);
+ usage();
+ }
+ break;
+
default:
usage();
}
@@ -784,6 +805,7 @@
(void)fprintf(stderr, "Version %s\n", version);
(void)fprintf(stderr, "usage: %s [-dN] [-f datafile] [-i interface]"
- " [-n net[/width]] [-r file] [-u username]\n", prog);
+ " [-n net[/width]] [-r file] [-u username]"
+ " [-e username] [-s username]\n", prog);
exit(1);
}
--- arpwatch-2.1a11/report.c.addr Sat Sep 30 18:41:10 2000
+++ arpwatch-2.1a11/report.c Thu Aug 1 14:16:43 2002
@@ -70,6 +70,9 @@
#define PLURAL(n) ((n) == 1 || (n) == -1 ? "" : "s")
+char *watcher = WATCHER;
+char *watchee = WATCHEE;
+
static int cdepth; /* number of outstanding children */
static char *fmtdate(time_t);
@@ -240,8 +243,6 @@
register FILE *f;
char tempfile[64], cpu[64], os[64];
char *fmt = "%20s: %s\n";
- char *watcher = WATCHER;
- char *watchee = WATCHEE;
char *sendmail = PATH_SENDMAIL;
char *unknown = "<unknown>";
char buf[132];
@@ -258,6 +259,9 @@
}
f = stdout;
(void)putc('\n', f);
+ } else if (watcher == NULL || *watcher == NULL || *watcher == '-') {
+ dosyslog(LOG_NOTICE, title, a, e1, e2);
+ return;
} else {
/* Setup child reaper if we haven't already */
if (!init) {

View file

@ -0,0 +1,22 @@
--- arpwatch-2.1a15/arpsnmp.8.dirman 2006-11-02 17:00:58.000000000 +0100
+++ arpwatch-2.1a15/arpsnmp.8 2006-11-02 17:23:58.000000000 +0100
@@ -96,7 +96,7 @@
.na
.nh
.nf
-/usr/operator/arpwatch - default directory
+/var/lib/arpwatch - default directory
arp.dat - ethernet/ip address database
ethercodes.dat - vendor ethernet block list
.ad
--- arpwatch-2.1a15/arpwatch.8.dirman 2006-11-02 17:00:58.000000000 +0100
+++ arpwatch-2.1a15/arpwatch.8 2006-11-02 17:24:07.000000000 +0100
@@ -198,7 +198,7 @@
.na
.nh
.nf
-/usr/operator/arpwatch - default directory
+/var/lib/arpwatch - default directory
arp.dat - ethernet/ip address database
ethercodes.dat - vendor ethernet block list
.ad

View file

@ -0,0 +1,48 @@
--- arpwatch.8.orig Sun Oct 8 23:31:28 2000
+++ arpwatch.8 Mon Oct 16 16:46:19 2000
@@ -36,13 +36,16 @@
.I interface
]
.br
-.ti +8
+.ti +9
[
.B -n
.IR net [/ width
]] [
.B -r
.I file
+] [
+.B -u
+.I username
]
.ad
.SH DESCRIPTION
@@ -94,10 +97,26 @@
.B arpwatch
does not fork.
.LP
+If
+.B -u
+flag is used,
+.B arpwatch
+drops root privileges and changes user ID to
+.I username
+and group ID to that of the primary group of
+.IR username .
+This is recommended for security reasons.
+.LP
Note that an empty
.I arp.dat
file must be created before the first time you run
-.BR arpwatch .
+.BR arpwatch .
+Also, the default directory (where arp.dat is stored) must be owned
+by
+.I username
+if
+.BR -u
+flag is used.
.LP
.SH "REPORT MESSAGES"
Here's a quick list of the report messages generated by

View file

@ -0,0 +1,93 @@
--- arpwatch-2.1a10/arpwatch.c Sat Oct 14 05:07:35 2000
+++ arpwatch-2.1a10/arpwatch.c Sun Jun 10 16:22:57 2001
@@ -62,7 +62,7 @@
#include <string.h>
#include <syslog.h>
#include <unistd.h>
-
+#include <pwd.h>
#include <pcap.h>
#include "gnuc.h"
@@ -141,6 +141,25 @@
int sanity_fddi(struct fddi_header *, struct ether_arp *, int);
__dead void usage(void) __attribute__((volatile));
+void dropprivileges(const char* user)
+{
+ struct passwd* pw;
+ pw = getpwnam( user );
+ if ( pw ) {
+ if ( initgroups(pw->pw_name, NULL) != 0 || setgid(pw->pw_gid) != 0 ||
+ setuid(pw->pw_uid) != 0 ) {
+ syslog(LOG_ERR, "Couldn't change to '%.32s' uid=%d gid=%d", user,
+ pw->pw_uid, pw->pw_gid);
+ exit(1);
+ }
+ }
+ else {
+ syslog(LOG_ERR, "Couldn't find user '%.32s' in /etc/passwd", user);
+ exit(1);
+ }
+ syslog(LOG_DEBUG, "Running as uid=%d gid=%d", getuid(), getgid());
+}
+
int
main(int argc, char **argv)
{
@@ -153,6 +172,7 @@
register char *interface, *rfilename;
struct bpf_program code;
char errbuf[PCAP_ERRBUF_SIZE];
+ char* serveruser = NULL;
if (argv[0] == NULL)
prog = "arpwatch";
@@ -170,7 +190,7 @@
interface = NULL;
rfilename = NULL;
pd = NULL;
- while ((op = getopt(argc, argv, "df:i:n:Nr:")) != EOF)
+ while ((op = getopt(argc, argv, "df:i:n:Nr:u:")) != EOF)
switch (op) {
case 'd':
@@ -202,6 +222,16 @@
rfilename = optarg;
break;
+ case 'u':
+ if ( optarg ) {
+ serveruser = strdup(optarg);
+ }
+ else {
+ fprintf(stderr, "%s: Need username after -u\n", prog);
+ usage();
+ }
+ break;
+
default:
usage();
}
@@ -283,8 +313,11 @@
* Revert to non-privileged user after opening sockets
* (not needed on most systems).
*/
- setgid(getgid());
- setuid(getuid());
+ /*setgid(getgid());*/
+ /*setuid(getuid());*/
+ if ( serveruser ) {
+ dropprivileges( serveruser );
+ }
/* Must be ethernet or fddi */
linktype = pcap_datalink(pd);
@@ -751,6 +784,6 @@
(void)fprintf(stderr, "Version %s\n", version);
(void)fprintf(stderr, "usage: %s [-dN] [-f datafile] [-i interface]"
- " [-n net[/width]] [-r file]\n", prog);
+ " [-n net[/width]] [-r file] [-u username]\n", prog);
exit(1);
}

View file

@ -0,0 +1,27 @@
--- arpwatch-2.1a15/arp2ethers.scripts 2002-01-05 20:40:48.000000000 +0100
+++ arpwatch-2.1a15/arp2ethers 2006-11-09 14:34:42.000000000 +0100
@@ -13,7 +13,7 @@
# - sort
#
-sort +2rn arp.dat | \
+sort -k 2 -rn arp.dat | \
awk 'NF == 4 { print }' | \
awk -f p.awk | \
egrep -v '\.[0-9][0-9]*$' | \
--- arpwatch-2.1a15/arpfetch.scripts 2006-07-28 20:10:30.000000000 +0200
+++ arpwatch-2.1a15/arpfetch 2006-11-09 14:37:05.000000000 +0100
@@ -4,8 +4,6 @@
# arpfetch - collect arp data from a cisco using net-snmp
#
-export PATH="/usr/local/bin:${PATH}"
-
prog=`basename $0`
if [ $# -ne 2 ]; then
@@ -30,4 +28,3 @@
print ea "\t" ip
}'
-rm -f ${t1}

View file

@ -0,0 +1,63 @@
#!/bin/sh
#
# /etc/rc.d/rc./arpwatch
#
# Start/stop/restart/status arpwatch.
ARPDIR="/var/lib/arpwatch"
IFACE="$2"
OPTIONS="-i $IFACE -f $ARPDIR/arp-$IFACE.dat -u root -e root -s root"
pid="$(ps ax | awk '{if (match($5, ".*/arpwatch$") || $5 == "arpwatch") print $1}')"
start() {
if [ "$IFACE" = "" ]; then
echo "Please specify interface name"
exit 1
else
if [ ! -f "$ARPDIR/arp-$IFACE.dat" ]; then
echo "Creating new database file..."
touch $ARPDIR/arp-$IFACE.dat
echo "Starting arpwatch on $IFACE..."
arpwatch $OPTIONS
else
echo "Starting arpwatch on $IFACE..."
arpwatch $OPTIONS
fi
fi
}
stop() {
echo "Stopping arpwatch..."
killall arpwatch
}
status() {
if [ "$pid" != "" ]; then
echo "arpwatch (pid "$pid") is running..."
else
echo "arpwatch is not running..."
fi
}
case "$1" in
'start')
start
;;
'stop')
stop
;;
'restart')
stop
start
;;
'status')
status
;;
*)
echo ""
echo "Usage: $0 {start [IFACE] | stop | restart [IFACE] | status}"
echo ""
exit 1
esac

View file

@ -0,0 +1,19 @@
# HOW TO EDIT THIS FILE: # The "handy ruler" below makes it easier
to edit a package description. Line # up the first '|' above the
':' following the base package name, and the '|' # on the right
side marks the last column you can put a character in. You must #
make exactly 11 lines for the formatting to be correct. It's also #
customary to leave one space after the ':'.
|-----handy-ruler------------------------------------------------------|
arpwatch: arpwatch (Monitoring tools for tracking IP addresses on a network)
arpwatch:
arpwatch: The arpwatch package contains arpwatch and arpsnmp. Arpwatch and
arpwatch: arpsnmp are both network monitoring tools. Both utilities monitor
arpwatch: Ethernet or FDDI network traffic and build databases of Ethernet/IP
arpwatch: address pairs, and can report certain changes via email.
arpwatch:
arpwatch:
arpwatch: Homepage: http://ee.lbl.gov/
arpwatch:
arpwatch: