Arpwatch issues
-
I started looking into arpwatch after I got this error "Fatal error: Call to undefined function stop_service() in /usr/local/www/arpwatch_reports.php on line 37"
which lead me to this post: http://forum.pfsense.org/index.php?topic=41057.0
and the solution was "Hard drive was damaged and replaced. After that, everything was working well. Most likely the problem was this."
I think that is very odd, because I started to look where stop_service() is declared and found it in this file /etc/inc/service-utils.inc
which is not included in /usr/local/www/arpwatch_reports.phpSo I included service-utils.inc and the problem was solved, is this a miss by the author or how come service-utils.inc wasn't included?
patch:--- arpwatch_reports.php 2012-06-29 14:33:58.000000000 +0200 +++ arpwatch_reports_include_fix.php 2012-06-29 14:09:10.000000000 +0200 @@ -30,6 +30,7 @@ */ require("guiconfig.inc"); +require_once("service-utils.inc"); $logfile = "/usr/local/arpwatch/arp.dat";
Next issue:
When I click on "Clear log" arp.dat is accessed but not cleared
ls -l /usr/local/arpwatch/arp.dat
-rw-r–r-- 1 root wheel 163 Jun 29 12:12 /usr/local/arpwatch/arp.dat
clicks again, same result,
third time it is cleared:ls -l /usr/local/arpwatch/arp.dat
-rw-r–r-- 1 root wheel 0 Jun 29 12:17 /usr/local/arpwatch/arp.dat
for some reason unlink does not work probably, but cant figure out why
no errors shown in /var/log/lighttpd.error.logLast issue:
This is what happens when I change interface in https://192.168.0.1/pkg_edit.php?xml=arpwatch.xml&id=0:
clog -f /var/log/arpwatch.log
Jun 29 11:52:54 FW arpwatch: listening on em0 #arpwatch is started and WLAN (em0) is choosen here
Jun 29 12:18:29 FW arpwatch: exiting #choose LAN
Jun 29 12:18:31 FW arpwatch: listening on em0 #still on WLAN (em0)
Jun 29 12:20:13 FW arpwatch: exiting #choose LAN again
Jun 29 12:20:15 FW arpwatch: listening on bge1 #this time the interface is changed to LAN (bge1)as you can see, the first time I choose LAN the interface is not changed, second time it changes the interface.
This is because
1. old config-file is parsed
2. arpwatch is restarted with settings from old config
3. new config-file is written with the new valuesIt is solved by changing /usr/local/pkg/arpwatch.xml to $int = $_POST['interface'] instead of $config
patch:--- arpwatch.xml 2012-06-29 14:13:59.000000000 +0200 +++ arpwatch_POST_fix.xml 2012-06-29 14:07:07.000000000 +0200 @@ -91,7 +91,7 @@ global $config; conf_mount_rw(); config_lock(); - $int = $config['installedpackages']['arpwatch']['config'][0]['interface']; + if($_POST['interface'] != "") { $int = $_POST['interface']; } else { $int = $config['installedpackages']['arpwatch']['config'][0]['interface']; } $int = convert_friendly_interface_to_real_interface_name($int); $start = "/usr/local/sbin/arpwatch -d -i {$int} > /var/log/arpwatch.reports 2>&1 &"; $stop = "/usr/bin/killall arpwatch";
info:
package: http://files.pfsense.org/packages/8/All/arpwatch-2.1.a15_6.tbz
system: 2.0.1-RELEASE (i386) built on Mon Dec 12 18:24:17 EST 2011 FreeBSD 8.1-RELEASE-p6 (upgraded from 1.2.3-RELEASE ) -
Hi and thank you, you allowed me to solve the first problem (unable to clean the report).
I don't have the other two problems, but I have another issue, like everyone who's using arpwatch on pfsense likely has.
Which is, I need the pfsense box to email me when arpwatch does something.
From the arpwatch logs, I can see that arpwatch is indeed trying to send me an email to notify me of changes to arp.dat, but cannot find /usr/bin/sendmail.
I understand sendmail is not officially available in pfsense.
Can you or anyone explain how (if at all possible) I can install and configure it, or else how can I get arpwatch to send me email?
Thanks -
Btw, once you test them, you can submit those bug-fixes to the pfsense public repository at GitHub (https://github.com/bsdperimeter/pfsense-packages).
The steps to do this are:
- open an account at GitHub (if you don't have one already)
- fork pfsense-packages (or the other repositories as well)
- make changes
- open a pull request
-
I just submitted a pull request and Jimp has merged it. It fixes the "not saving the interface name the first time" problem and makes the install work on 2.1 with the pbi file - the default arp.dat file location had changed and the package code was not aware. Now arp.dat is in /var/log. That also makes it work on nanobsd, where /usr is RO.
Reinstall and confirm it goes. -
I have just reinstalled the package.
The version number did not change (2.1.a15_6).
Reinstalling reintroduced the bug with being unable to clean the report.
I had to edit the php file as per this topic again. -
Nice, thank you phil.davis for pushing it to github, I have a github acc but didnt know about that repository.
now its just a few more bugs left ::)
the mail part is very important, I had this package running on a lan-party last week and forgot about it.
when I checked the report I saw my server's mac-address on 3 ip-adresses, it was because i used linux-vserver but if it had been an arp poisoning I would not have notices untill I got ssl-warnings and slow network :P