Arpwatch reports bogons frequently


  • Hi.

    arpwatch reports bogons daily - the reports seem to correspond with dhcp functions - for example, I shutdown my PC last night, when I started it today I found the following arpwatch notifications in my system log:

    Oct 10 08:24:17 arpwatch bogon 0.0.0.0 30:9c:23:2c:dc:79
    Oct 10 08:24:16 arpwatch bogon 0.0.0.0 30:9c:23:2c:dc:79
    Oct 10 08:24:15 arpwatch bogon 0.0.0.0 30:9c:23:2c:dc:79

    I have one laptop that is filling my logs with notifications such as these: Oct 10 06:29:42 arpwatch bogon 0.0.0.0 50:e0:85:f3:4f:d5

    this laptop was, supposedly, sleeping. The power settings sleep the laptop after a bit, but it wakes up approx. every 2 hours (based on arpwatch notifications) and generates about 10 arpwatch alerts then nothing.

    I assume that the alerts are generated while it is seeking a dhcp renewal upon wake up. I still have to confirm this and why the laptop is waking up (probably antivirus definition updates - it's a corporate domain joined laptop on my home network).

    Is there a way to suppress these alerts while still allowing the alerts for mac change, new mac detected, etc,etc?

  • LAYER 8 Global Moderator

    @1OF1000Quadrillion said in Arpwatch reports bogons frequently:

    Is there a way to suppress these alerts while still allowing the alerts for mac change, new mac detected, etc,etc?

    So you haven't even looked at the arpwatch gui interface?

    arpwatchbogon.png


  • HI Jonpoz,

    EDIT: I just checked my logs again and the Bogon alerts are all related to DHCP as far as I can tell, so I enabled the "Disables reporting 0.0.0.0 changes, helpful in busy DHCP networks." rule and will monitor. (Thanks again Jonpoz :-)

    Thanks a bunch for responding.

    Yes I did look, did see it, wasn't sure if setting those options would then not report on a private IP mac change on my internal network. You were right, I do not remember seeing the dhcp option before, I DO remember seeing don't report BOGONs. Thanks for the 3rd time:-)

    I thought that all private IP ranges were BOGON's?

    I just wanted to make sure if I set those options and I change a network card in one of my HOSTS or a new device was added to my internal network I would still get the ARPmessage saying so.

    I assume because you have pointed out these options that I can safely enable them and still be notified of ARP changes on my private LAN(s)?

  • LAYER 8 Global Moderator

    @1OF1000Quadrillion said in Arpwatch reports bogons frequently:

    I thought that all private IP ranges were BOGON's?

    I have both enabled - and getting notification.. The one clearly states 0.0.0.0 changes.. Which would be like client doing a discover ;)

    Here is example of getting email for rfc1918

    hostname: brother.local.lan
              ip address: 192.168.2.50
        ethernet address: 30:05:5c:11:6a:d9
         ethernet vendor: Brother industries, LTD.
               timestamp: Saturday, October 10, 2020 9:31:52 -0500
    

    When pfsense pulls bogon it does a bit of clean up on it to remove the rfc1918 from the list. If your concerned just look in the bogons table directly..


  • I have both enabled - and getting notification.. The one clearly states 0.0.0.0 changes.. Which would be like client doing a discover ;)

    Oh, cool,. thats good to know . I will enable the other also, as long as I get the MAC change, new MAC etc,etc I can enable it.

    This place is awesome, I don't say it enogh-but there yah go.

    Thanks for the 4rth time:-)

    Happy family, turkey day, beer and wine :-)