ARPWatch FlipFlop
-
Getting ARPWatch Flip Flop Messages every 34 minutes from a Kali Purple Box with two Nic cards.
LAN 192.168.0.224 e9:4e:06:87:30:45 LAN 192.168.0.225 a9:a1:59:d6:f5:dd LAN 192.168.0.225 e9:4e:06:87:30:45I know I could suppress the flip flop messages but I would like to understand how/why the Mac is flip flopping between the IP addresses?
On the Nic settings for each card I specified which Mac to user for each device.
I set NIC 1 (Wired connection 1) to the .255 IP address - Mac = a9:a1:59:d6:f5:dd
I set NIC 2 (Wired connection 2) to the 224 IP address - Mac = e9:4e:06:87:30:45Is there a way to clear the ARP Watch database/table?
-
@Technolust said in ARPWatch FlipFlop:
Is there a way to clear the ARP Watch database/table?
If you check the clear database checkbox it should clear it on an uninstall. Or you could always do it manually, just disable arpwatch and in then the /usr/local/arpwatch folder delete the .dat and .dat- files. Then restart arpwatch
-
@johnpoz I removed them manually but Arpwatch still sees them the same way. I'm not sure why Kali Purple is showing NIC one with both Mac addresses and NIC2 with only one MAC address.
-
@Technolust so your db cleared?
So I stopped arpwatch by unchecking the enable checkbox. My db not very large because only ran it for a very short time to fill the db with stuff.
You can see current db, then deleted the dat files, now db is empty
If your db was empty, and then your multiple entries show up, or flipflops - then they are happening, and not just some old entry in your db.
-
@johnpoz Yep, I cleared the db just like the pictures you showed and it started rebuilding the arp table again. So it does look like they are flip flopping but I did learn it is only happening on one of the two NIC Cards. .225 Nic 1 shows both Mac addresses from NIC 1 and NIC 2 in the ARP table...
LAN 192.168.0.224 e9:4e:06:87:30:45 EDUP INTERNATIONAL (HK) CO., LTD Sat Apr 20 09:13:05 2024 LAN 192.168.0.225 a9:a1:59:d6:f5:dd ASRock Incorporation Sat Apr 20 09:08:00 2024 LAN 192.168.0.225 e9:4e:06:87:30:45 EDUP INTERNATIONAL (HK) CO., LTD Sat Apr 20 09:05:33 2024For now I just suppressed the MAC addresses but I would really like to know why Kali is reporting both NIC Card Mac addresses on NIC 1 in the Arp table.
-
@Technolust said in ARPWatch FlipFlop:
but I would really like to know why Kali is reporting both NIC Card Mac addresses
Get with Kali support or their forums.. Pfsense has nothing to do with what mac addresses something puts on the wire.. Arpwatch just reports what it sees.
how about a simple ifconfig output from this kali box, it will show what mac address are listed for an interface.
example - here is my nas that has multiple interfaces, and what mac they list for each instance of an interface.. It has multiples, running docker instances and running open vswitch for vms on it, etc.
ash-4.4# ifconfig docker0 Link encap:Ethernet HWaddr 02:42:78:C0:11:CE inet addr:172.17.0.1 Bcast:172.17.255.255 Mask:255.255.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:27465728 errors:0 dropped:0 overruns:0 frame:0 TX packets:25377979 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:7155321949 (6.6 GiB) TX bytes:21376593584 (19.9 GiB) docker186 Link encap:Ethernet HWaddr A2:67:DD:19:CA:1F UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:6129118 errors:0 dropped:0 overruns:0 frame:0 TX packets:6001634 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1837704920 (1.7 GiB) TX bytes:5085324938 (4.7 GiB) docker20b Link encap:Ethernet HWaddr 56:D8:D5:4C:EB:FC UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:15687 errors:0 dropped:0 overruns:0 frame:0 TX packets:18240 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:6228616 (5.9 MiB) TX bytes:43599547 (41.5 MiB) docker31b Link encap:Ethernet HWaddr 96:2C:75:39:15:E7 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:169561 errors:0 dropped:0 overruns:0 frame:0 TX packets:391739 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:29968172 (28.5 MiB) TX bytes:986563196 (940.8 MiB) docker370 Link encap:Ethernet HWaddr 7E:78:87:D7:59:4B UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:453 errors:0 dropped:0 overruns:0 frame:0 TX packets:764 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:6244119 (5.9 MiB) TX bytes:90911 (88.7 KiB) docker4ce Link encap:Ethernet HWaddr 16:7A:43:EE:F4:12 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:469 errors:0 dropped:0 overruns:0 frame:0 TX packets:771 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1341275 (1.2 MiB) TX bytes:115507 (112.7 KiB) docker912 Link encap:Ethernet HWaddr 46:DE:B4:A8:8C:EB UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:351 errors:0 dropped:0 overruns:0 frame:0 TX packets:470 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:2882984 (2.7 MiB) TX bytes:76041 (74.2 KiB) dockerb04 Link encap:Ethernet HWaddr FE:76:AE:22:81:AF UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:14699786 errors:0 dropped:0 overruns:0 frame:0 TX packets:12747545 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:3199311528 (2.9 GiB) TX bytes:7503928522 (6.9 GiB) dockercae Link encap:Ethernet HWaddr 4E:66:60:17:BE:AE UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:91850 errors:0 dropped:0 overruns:0 frame:0 TX packets:145589 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:18155461 (17.3 MiB) TX bytes:159648970 (152.2 MiB) dockerf06 Link encap:Ethernet HWaddr FA:29:C2:0E:2A:84 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:6492 errors:0 dropped:0 overruns:0 frame:0 TX packets:7026 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:16969805 (16.1 MiB) TX bytes:3162842 (3.0 MiB) eth0 Link encap:Ethernet HWaddr 00:11:32:7B:29:7D UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1 RX packets:265420473 errors:3 dropped:0 overruns:0 frame:3 TX packets:1765623495 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:70895377842 (66.0 GiB) TX bytes:2581175800785 (2.3 TiB) eth1 Link encap:Ethernet HWaddr 00:11:32:7B:29:7E UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1 RX packets:25018342 errors:3 dropped:0 overruns:0 frame:3 TX packets:1443762 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:15282717582 (14.2 GiB) TX bytes:154776134 (147.6 MiB) eth2 Link encap:Ethernet HWaddr A0:CE:C8:CC:57:AA UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1 RX packets:934106059 errors:0 dropped:0 overruns:0 frame:0 TX packets:213838422 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1364844623928 (1.2 TiB) TX bytes:252703732636 (235.3 GiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:179040222 errors:0 dropped:0 overruns:0 frame:0 TX packets:179040222 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1 RX bytes:51348338307 (47.8 GiB) TX bytes:51348338307 (47.8 GiB) ovs_eth0 Link encap:Ethernet HWaddr 00:11:32:7B:29:7D inet addr:192.168.9.10 Bcast:192.168.9.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:222736950 errors:0 dropped:0 overruns:0 frame:0 TX packets:593494311 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1 RX bytes:52112776572 (48.5 GiB) TX bytes:2502798699286 (2.2 TiB) ovs_eth1 Link encap:Ethernet HWaddr 00:11:32:7B:29:7E inet addr:192.168.9.11 Bcast:192.168.9.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:994257 errors:0 dropped:57 overruns:0 frame:0 TX packets:1307475 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1 RX bytes:9333479066 (8.6 GiB) TX bytes:145641239 (138.8 MiB) ovs_eth2 Link encap:Ethernet HWaddr A0:CE:C8:CC:57:AA inet addr:192.168.10.10 Bcast:192.168.10.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:118693348 errors:0 dropped:0 overruns:0 frame:0 TX packets:54479729 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1 RX bytes:1332228115488 (1.2 TiB) TX bytes:244367874136 (227.5 GiB) tap021132 Link encap:Ethernet HWaddr 26:77:DB:5D:C3:FD UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1 RX packets:3483 errors:0 dropped:0 overruns:0 frame:0 TX packets:11280 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2638777 (2.5 MiB) TX bytes:1720089 (1.6 MiB) tap021132 Link encap:Ethernet HWaddr 16:59:FE:98:2C:BF UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1 RX packets:132802 errors:0 dropped:0 overruns:0 frame:0 TX packets:231258 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:6496010 (6.1 MiB) TX bytes:72501950 (69.1 MiB) tap021132 Link encap:Ethernet HWaddr 22:1F:B0:1A:C6:48 UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1 RX packets:11917628 errors:0 dropped:0 overruns:0 frame:0 TX packets:19614033 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2237893739 (2.0 GiB) TX bytes:14333236286 (13.3 GiB) ash-4.4#
