Arpwatch reports bogons frequently
-
Hi.
arpwatch reports bogons daily - the reports seem to correspond with dhcp functions - for example, I shutdown my PC last night, when I started it today I found the following arpwatch notifications in my system log:
Oct 10 08:24:17 arpwatch bogon 0.0.0.0 30:9c:23:2c:dc:79
Oct 10 08:24:16 arpwatch bogon 0.0.0.0 30:9c:23:2c:dc:79
Oct 10 08:24:15 arpwatch bogon 0.0.0.0 30:9c:23:2c:dc:79I have one laptop that is filling my logs with notifications such as these: Oct 10 06:29:42 arpwatch bogon 0.0.0.0 50:e0:85:f3:4f:d5
this laptop was, supposedly, sleeping. The power settings sleep the laptop after a bit, but it wakes up approx. every 2 hours (based on arpwatch notifications) and generates about 10 arpwatch alerts then nothing.
I assume that the alerts are generated while it is seeking a dhcp renewal upon wake up. I still have to confirm this and why the laptop is waking up (probably antivirus definition updates - it's a corporate domain joined laptop on my home network).
Is there a way to suppress these alerts while still allowing the alerts for mac change, new mac detected, etc,etc?
-
@1OF1000Quadrillion said in Arpwatch reports bogons frequently:
Is there a way to suppress these alerts while still allowing the alerts for mac change, new mac detected, etc,etc?
So you haven't even looked at the arpwatch gui interface?
-
HI Jonpoz,
EDIT: I just checked my logs again and the Bogon alerts are all related to DHCP as far as I can tell, so I enabled the "Disables reporting 0.0.0.0 changes, helpful in busy DHCP networks." rule and will monitor. (Thanks again Jonpoz :-)
Thanks a bunch for responding.
Yes I did look, did see it, wasn't sure if setting those options would then not report on a private IP mac change on my internal network. You were right, I do not remember seeing the dhcp option before, I DO remember seeing don't report BOGONs. Thanks for the 3rd time:-)
I thought that all private IP ranges were BOGON's?
I just wanted to make sure if I set those options and I change a network card in one of my HOSTS or a new device was added to my internal network I would still get the ARPmessage saying so.
I assume because you have pointed out these options that I can safely enable them and still be notified of ARP changes on my private LAN(s)?
-
@1OF1000Quadrillion said in Arpwatch reports bogons frequently:
I thought that all private IP ranges were BOGON's?
I have both enabled - and getting notification.. The one clearly states 0.0.0.0 changes.. Which would be like client doing a discover ;)
Here is example of getting email for rfc1918
hostname: brother.local.lan ip address: 192.168.2.50 ethernet address: 30:05:5c:11:6a:d9 ethernet vendor: Brother industries, LTD. timestamp: Saturday, October 10, 2020 9:31:52 -0500
When pfsense pulls bogon it does a bit of clean up on it to remove the rfc1918 from the list. If your concerned just look in the bogons table directly..
-
I have both enabled - and getting notification.. The one clearly states 0.0.0.0 changes.. Which would be like client doing a discover ;)
Oh, cool,. thats good to know . I will enable the other also, as long as I get the MAC change, new MAC etc,etc I can enable it.
This place is awesome, I don't say it enogh-but there yah go.
Thanks for the 4rth time:-)
Happy family, turkey day, beer and wine :-)