ArpWatch troubleshooting
-
0.0.0.0 is the IP address used in the ARP packet. Usually a DHCP client before it gets a lease for example.
-
@stephenw10 So then..if i understand the syslog message correctly,
IP 0.0.0.0 used to belong to hostA now it belongs to hostB
But this is erroneous as both hosts have static IPs?
How come i don't see this with clients on a DHCP managed network configured for Arpwatch? -
Maybe you have
Disable 0.0.0.0set in the ARPwatch settings? -
@stephenw10 Indeed i do.
-
That'll do it!
I have that set. Logging 0.0.0.0 changes is not really helpful IMO.
-
@stephenw10
Gotcha! Thank you
So with that enabled, will that help in understanding the syslogs I'm receiving from arpwatch? Thats the part I'm not getting which is why am i receiving these flip flop messages from statically IP assigned hosts. -
Yeah it's warning you that more than one MAC is using the same IP address which can obviously be a problem. But not when it's 0.0.0.0.
-
@stephenw10
Def makes sense. Nice! Thank you once again for the quick response and the very helpful tip. Appreciate you ! -
@stephenw10
Looks like im still getting these alerts.hostname: <unknown>
ip address: 0.0.0.0
ethernet address: 00:11:32:c4:06:f5
ethernet vendor: Synology Incorporated
old ethernet address: 00:11:32:78:37:5b
old ethernet vendor: Synology Incorporated
timestamp: Tuesday, June 25, 2024 14:58:10 -0400
previous timestamp: Tuesday, June 25, 2024 14:43:33 -0400
delta: 14 minutesAnything i can do?
-
After set that checkbox? Hmm, try restarting arpwatch. Though I would have expected that to happen anyway...
