Arpwatch email notifications not including hostname or vendor



  • Running pfSense 2.4.4 p3, when a new device joins the network I receive the following email:

    Subject line:
    <hostname>.<domain> - Arpwatch Notification : new station

    Email body:
    hostname: <unknown>
    ip address: 172.16.x.x
    ethernet address: ac:7b:a1:xx:xx:xx
    ethernet vendor: <unknown>
    timestamp: Tuesday, October 1, 2019 10:58:37 -0500

    When I go to Diagnostics -> Arp Table, next to the MAC address it shows (Intel Corporate) and displays the correct device hostname.

    How do I get the Arpwatch notifications to include this information from the ARP table?

    Receiving an email when a device joins the network has limited usefulness without stating the hostname or vendor... have to go to the DHCP or ARP tables to find out what the device is.



  • After reviewing the following file, /usr/local/pkg/arpwatch.inc:

    define('ARPWATCH_LOCAL_DIR', '/usr/local/arpwatch');
    define('ARPWATCH_ETHERCODES_URL', 'http://linuxnet.ca/ieee/oui/ethercodes.dat');
    

    and:

    function arpwatch_get_arp_file($ifname) {
    	return ARPWATCH_LOCAL_DIR."/arp_$ifname.dat";
    }
    
    function arpwatch_update_vendors() {
    	download_file(ARPWATCH_ETHERCODES_URL, ARPWATCH_LOCAL_DIR."/ethercodes.dat");
    }
    

    In /usr/local/arpwatch I see .dat files for each interface, but not ethercodes.dat (screenshot below).

    90175e43-86a4-4e81-845c-800ecaa04a38-image.png

    I downloaded ethercodes.dat from the URL and uploaded to the Arpwatch directory, will see if vendor names start resolving in the email notifications.


Log in to reply