Arpwatch email notifications not including hostname or vendor
-
Running pfSense 2.4.4 p3, when a new device joins the network I receive the following email:
Subject line:
<hostname>.<domain> - Arpwatch Notification : new stationEmail body:
hostname: <unknown>
ip address: 172.16.x.x
ethernet address: ac:7b:a1:xx:xx:xx
ethernet vendor: <unknown>
timestamp: Tuesday, October 1, 2019 10:58:37 -0500When I go to Diagnostics -> Arp Table, next to the MAC address it shows (Intel Corporate) and displays the correct device hostname.
How do I get the Arpwatch notifications to include this information from the ARP table?
Receiving an email when a device joins the network has limited usefulness without stating the hostname or vendor... have to go to the DHCP or ARP tables to find out what the device is.
-
After reviewing the following file, /usr/local/pkg/arpwatch.inc:
define('ARPWATCH_LOCAL_DIR', '/usr/local/arpwatch'); define('ARPWATCH_ETHERCODES_URL', 'http://linuxnet.ca/ieee/oui/ethercodes.dat');
and:
function arpwatch_get_arp_file($ifname) { return ARPWATCH_LOCAL_DIR."/arp_$ifname.dat"; } function arpwatch_update_vendors() { download_file(ARPWATCH_ETHERCODES_URL, ARPWATCH_LOCAL_DIR."/ethercodes.dat"); }
In /usr/local/arpwatch I see .dat files for each interface, but not ethercodes.dat (screenshot below).
I downloaded ethercodes.dat from the URL and uploaded to the Arpwatch directory, will see if vendor names start resolving in the email notifications.
-
@lburr Did you ever solve this? I have the same issue.
-
@alexm2019 It worked for about 2 hours after I uploaded the ethercodes.dat file and then went back to "ethernet vendor: <unknown>". I spent some more time but couldn't get it to work consistently, so I moved on to other projects that were more pressing & haven't gotten back to this.
The ethernetcodes.dat file is still in the /usr/local/arpwatch directory, just doesn't seem to use it.
If someone can find a permanent solution I'd appreciate it.
-
@lburr
Hi, I have the vendor bit working ok. I'm on the 2.5.2 pfsense version, there is a tick box on the settings page of arpwatch to update vendors. Tick that, hit save, it downloads the file and vendors will appear.It's the missing host names that are really getting to me. They are in the diagnostics/arp table page but do not turn up on the arpwatch database at all. Manual check every time...
-
@alexm2019 said in Arpwatch email notifications not including hostname or vendor:
It's the missing host names that are really getting to me.
Host names are known to the local 'pfSense' DNS when you select "DHCP registration" :
But, as widely known, that comes with a price (see the other several hundreds forum threads about what happens when you activate this option).
Important note : not ever DHCP client communicates a host name when its registering with the DHCP server.That's where "Static DHCP" comes in nicely. YOU define the host name for every device you enter there.
As such, for me, arpwatch knows all the names of all my networks devices, as I've made an "Static DHCP MAC lease" entry for all those I need to know by name and or address.
-
@gertjan
Thank you!
Flushing the resolution cache on each DHCP lease seems like a bad idea. I haven't read up the issues others have had yet. Will look into it later.
I've got almost everything on static DHCP reservations already so have ticked that. Annoyingly the notifications I would be interested in information on are the extra things that turn up... ie. will not be on the static dhcp list anyway. Small step in the right direction I guess. -
Hello. I just started using Arpwatch today. Ive been using static DHCP mappings for many of my devices on my network (via Services/DHCP Server/LAN) but the Arpwatch database is not showing the hostnames that I gave my devices, they are all blank. The 'Vendor' is also "unknown", so its basically making Arpwatch useless. Any ideas why this is happening? I would like by the hostnames that I set and also the Vendor to show in the Arpwatch database. Thanks.
-
"arpwatch" is just the program, and it needs a look up table to match MAC addresses to vendor names. Some sort of text database, actually just a text file.
You told it to download the database :?
The data base was downloaded : In /usr/local/arpwatch/ you should find :
It's the "ethercodes.dat" file (977 KB) that gets downloaded from http://standards-oui.ieee.org/oui/oui.csv
For me, the "arp_em1.dat" file is the list with devices found on my em1 interface = my LAN interface, which is the database list shwon in the first image. -
@gertjan said in Arpwatch email notifications not including hostname or vendor:
"arpwatch" is just the program, and it needs a look up table to match MAC addresses to vendor names. Some sort of text database, actually just a text file.
Ah, thank you. I have the 'Vendor' column updated now. I saw that setting but its a bit misleading. It states "Updates the ethernet vendor database". Since I just installed Arpwatch, I assumed the database was downloaded and I didnt need to update it. That setting actually download the database for the first time.
@Gertjan Any ideas why the 'Hostname' column isnt updating with the hostnames that I have in Services/DHCP Server/LAN ? (Static DHCP mappings)
-
@pulsartiger said in Arpwatch email notifications not including hostname or vendor:
Any ideas why the 'Hostname' column ...
So, on the command line, when I use 'arp' :
[2.5.2-RELEASE][root@pfsense.my.place]/root: arp pfsense pfsense.my.place (192.168.1.1) at 00:15:17:xx:ab:cd on em1 permanent [ethernet]
'arp' uses internal 'FreeBSD' tables, and uses probably some jedi mind tricks (a DNS reverse request ?), when it has the MAC and IP, it can obtain the host name - if known locally. The guy who is paid to know all these things : the resolver : unbound.
You said you use a lot of Static DHCP lease, so go have a look into here
cat /etc/hosts
as all DHCP static leases details are stored over there.
That file, the famous /etc/hosts, is included by unbound, the Resolver, see the line
# Static host entries include: /var/unbound/host_entries.conf
in /var/unbound/unbound.conf
The "/var/unbound/host_entries.conf" file is created from /etc/hosts.
To make a long story short :
If the resolver (unbound) works, arp and thus arpwatch knows all about hosts from the /etc/hosts.Btw : There is a condition : This option should be enabled :
Page Services > DNS Resolver > General Settings
-
@gertjan said in Arpwatch email notifications not including hostname or vendor:
Page Services > DNS Resolver > General Settings
@Gertjan - Yep, I checked that setting off after finding this thread when searching for an answer. It doesnt appear that Arpwatch updates the hostnames if this setting is enabled after devices are in the list. I ended up clear the databases and now my devices show the Hostnames. Thanks for the help on this!
-
I'm back again. I just realized that I have several devices that I do not have a static IP address assigned to them but I do have a static mapping, which I assigned a Hostname. Is it possible for Arpwatch to see these mappings or does it only look at static IP addresses?
EDIT: I am a bit confused. I dont recall how I set the Hostnames of my devices that I did not assign a static IP address for. When I go into 'Status / DHCP Leases', I see all of my devices. The ones that I have a static IP address for are at the top (with a person icon next to them), my other devices are below the static IP address. When I first setup pfsense, I set the Hostnames. I dont recall how I did this.
-
@pulsartiger said in Arpwatch email notifications not including hostname or vendor:
I dont recall how I did this.
Then recall.
Go to Services > DHCP Server> LAN and go to the bottom of the page.
Look under "DHCP Static Mappings for this Interface (total: xx)"The "Hostname' column will be the host name.
I have some Static DHCP mappings listed that are actually devices NOT using DHCP, they have a static IP setup. Arpwatch doesn't mind. It will list all 'live' MAC with IP devices.