What is the status of ARPWATCH package?



  • I've been reading some of the comments on arpwatch and was wondering if there is an active maintainer for the arpwatch package? (or has it been abandoned?)

    Any sense in filing bug reports? Is it likely to be fixed.

    Unlike some of the other users, it seems to be "doing it's job" - database seems good and the new station reports seem to be good as well. In my case I seem to beg getting reports like this:

    Subject: router - Arpwatch Notification : Cron root@domain /root/bin/cronjob
    X-Cron-Env: <SHELL=/bin/sh>
    X-Cron-Env: <PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin>
    X-Cron-Env: <HOME=/root>
    X-Cron-Env: <LOGNAME=root>
    X-Cron-Env: <USER=root>

    cronjob is a custom web site monitor written in python. It runs every 5 minutes, but I only get a handful of these messages/day. Any ideas how I figure out what is going on?

    Is arpwatch compiled or is it writen in some type of scripting language like perl/python/sh etc. If so where can I find the source?

    Any input would be much appreciated.



  • I’m getting the same report, except every time the Cron job runs.



  • I noticed that ARPWATCH is still in the package list... does anyone know if it as been updated since my original post and if it now has a maintainer. IIRC at the time of my original post I remember reading something that lead me to believe that there was no maintainer.



  • @guardian

    Getting the same thing... All seems to be working fine except for the details of deleted of devices.

    When a new device arrives, it sends an email WITH the device info. This is great and very useful.
    It also sends a message when something is deleted, but with NO DEVICE INFO...

    Not sure if this is being maintained either, but would really like to see this fixed or a suggestion for an equivalent replacement, if one exists.

    Not knowing what device is being deleted, although maybe not quite as important as a new device, still does not help.

    I would be willing to try and help diagnose the issue on my installation, time permitting, if anyone is willing.

    Subject of email:
    <OMITTED Node name> - Arpwatch Notification : Cron <OMITTED User@Node name> /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshguard

    Contents of email:
    X-Cron-Env: <SHELL=/bin/sh>
    X-Cron-Env: <PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin>
    X-Cron-Env: <HOME=/root>
    X-Cron-Env: <LOGNAME=root>
    X-Cron-Env: <USER=root>

    sshguard: 1 of 1 entries deleted.



  • @eveready1010 thanks for the reply.

    I'm wondering if anyone else knows the status of this package?

    Does it have a maintainer? Is it likely to be dropped?



  • Seeing if we can resurrect this. I love the arpwatch package, but am having an issue where it's sending an EXCESSIVE amount of emails. It's sending stuff for any cron that runs, with haproxy running on multiple hosts in an HA cluster, this quickly adds up.



  • The FreeBSD package page for arpwatch shows that it was last released about 13 years ago. There have been a number of patches since, with the latest being 2 months ago.

    https://github.com/freebsd/freebsd-ports/tree/master/net-mgmt/arpwatch



  • @MMapplebeck said in What is the status of ARPWATCH package?:

    Seeing if we can resurrect this. I love the arpwatch package, but am having an issue where it's sending an EXCESSIVE amount of emails. It's sending stuff for any cron that runs, with haproxy running on multiple hosts in an HA cluster, this quickly adds up.

    That would be fantastic if you could get it fixed.

    @KOM said in What is the status of ARPWATCH package?:

    The FreeBSD package page for arpwatch shows that it was last released about 13 years ago. There have been a number of patches since, with the latest being 2 months ago.

    https://github.com/freebsd/freebsd-ports/tree/master/net-mgmt/arpwatch

    I used to have arpwatch running on a small "raspberry pi like" computer under and it worked just fine. Other than library updates I wouldn't suspect that a program like that would need much in the way of updates unless a CVE gets discovered.



  • I recently had to delete and re-create a vpn ouotbound connection, and arpwatch did not like this. In addition to the usual mesages, I am getting this with every cron execution - the interface mentioned in the email I get below does not exist anymore. It is not mentioned in the xml if I do a backup and edit either - I assume its in some sort of arpwatch database, but no amount of uninstalling and re-installing seem to rectify this email every 5 minutes :

    X-Cron-Env: <SHELL=/bin/sh>
    X-Cron-Env: <PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin>
    X-Cron-Env: <HOME=/root>
    X-Cron-Env: <LOGNAME=root>
    X-Cron-Env: <USER=root>

    Error: Unable to get interface "ovpnc3" statistics.



  • @vw-kombi said in What is the status of ARPWATCH package?:

    I recently had to delete and re-create a vpn ouotbound connection, and arpwatch did not like this. In addition to the usual mesages, I am getting this with every cron execution - the interface mentioned in the email I get below does not exist anymore. It is not mentioned in the xml if I do a backup and edit either - I assume its in some sort of arpwatch database, but no amount of uninstalling and re-installing seem to rectify this email every 5 minutes :

    X-Cron-Env: <SHELL=/bin/sh>
    X-Cron-Env: <PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin>
    X-Cron-Env: <HOME=/root>
    X-Cron-Env: <LOGNAME=root>
    X-Cron-Env: <USER=root>

    Error: Unable to get interface "ovpnc3" statistics.

    I don't know anything about the inner workings of pfSense, but is it possible that this is causing an interface to become visible/invisible, and arpwatch is "just doing it's job" in alerting that a "device" has appeared on the network (and not been marked as an allowed device), disappeared, and then reappeared. Every tine the device comes back, it generates an alert, and unless there is some way to mark the MAC address as "allowed" this behaviour will never stop.

    Just a thought, I don't know if it has any merit.


Log in to reply