Is something wrong with arpwatch?

scilek

I use arpwatch to track and log ARP activity on one router (v 2.6.0-RELEASE):

Of course, the service is configured and enabled:

Ad it is evident from the command line:

[2.6.0-RELEASE][root@router.somesite.com]/root: ps -aux | grep arpwatch
root   84346   0.0  0.3   47416  37824  -  Ss   10:06      0:00.07 /usr/local/sbin/arpwatch -v -N -z -C -f /usr/local/arpwatch/arp_bge3.dat -i bge3
root   84654   0.0  0.3   47428  37848  -  Ss   10:06      0:00.10 /usr/local/sbin/arpwatch -v -N -z -C -f /usr/local/arpwatch/arp_bge3.4.dat -i bge3.4
root   85278   0.0  0.3   47320  37800  -  Ss   10:06      0:00.05 /usr/local/sbin/arpwatch -v -N -z -C -f /usr/local/arpwatch/arp_bge3.3.dat -i bge3.3
root   85752   0.0  0.3   47320  37808  -  Ss   10:06      0:00.06 /usr/local/sbin/arpwatch -v -N -z -C -f /usr/local/arpwatch/arp_bge3.5.dat -i bge3.5
root   56457   0.0  0.0   11268   2504  0  S+   10:24      0:00.00 grep arpwatch

Reporting of bogons is disabled, and that is what the -N flag does.

However, I have tonnes of useless messages in the general log.

I have deleted thousands but they keep coming, smothering useful information.

Is this a bug in arpwatch 3.1 ?

NogBadTheBad

@scilek Does this occur with anything apart from your Hikvision devices, if not I'd disable arpwatch on LAN_CAM or suppress the MAC addresses?

AC:B9:2F Hangzhou Hikvision Digital Technology Co.,Ltd.

BC:9B:5E Hangzhou Hikvision Digital Technology Co.,Ltd.

https://www.wireshark.org/tools/oui-lookup.html

scilek

@NogBadTheBad

I just did that and it stopped, and i think I know why. Those cams use L2 for discovery.

Thank you very much!