Arpwatch issues

DomeDan

I started looking into arpwatch after I got this error "Fatal error: Call to undefined function stop_service() in /usr/local/www/arpwatch_reports.php on line 37"
which lead me to this post: http://forum.pfsense.org/index.php?topic=41057.0
and the solution was "Hard drive was damaged and replaced. After that, everything was working well. Most likely the problem was this."
I think that is very odd, because I started to look where stop_service() is declared and found it in this file /etc/inc/service-utils.inc
which is not included in /usr/local/www/arpwatch_reports.php

So I included service-utils.inc and the problem was solved, is this a miss by the author or how come service-utils.inc wasn't included?
patch:

--- arpwatch_reports.php	2012-06-29 14:33:58.000000000 +0200
+++ arpwatch_reports_include_fix.php	2012-06-29 14:09:10.000000000 +0200
@@ -30,6 +30,7 @@
 */

 require("guiconfig.inc");
+require_once("service-utils.inc");

 $logfile = "/usr/local/arpwatch/arp.dat";

Next issue:

When I click on "Clear log" arp.dat is accessed but not cleared

ls -l /usr/local/arpwatch/arp.dat

-rw-r–r--  1 root  wheel  163 Jun 29 12:12 /usr/local/arpwatch/arp.dat

clicks again, same result,
third time it is cleared:

ls -l /usr/local/arpwatch/arp.dat

-rw-r–r--  1 root  wheel  0 Jun 29 12:17 /usr/local/arpwatch/arp.dat

for some reason unlink does not work probably, but cant figure out why
no errors shown in /var/log/lighttpd.error.log

Last issue:

This is what happens when I change interface in https://192.168.0.1/pkg_edit.php?xml=arpwatch.xml&id=0:

clog -f /var/log/arpwatch.log

Jun 29 11:52:54 FW arpwatch: listening on em0  #arpwatch is started and WLAN (em0) is choosen here
Jun 29 12:18:29 FW arpwatch: exiting                #choose LAN
Jun 29 12:18:31 FW arpwatch: listening on em0  #still on WLAN (em0)
Jun 29 12:20:13 FW arpwatch: exiting                #choose LAN again
Jun 29 12:20:15 FW arpwatch: listening on bge1 #this time the interface is changed to LAN (bge1)

as you can see, the first time I choose LAN the interface is not changed, second time it changes the interface.

This is because
1. old config-file is parsed
2. arpwatch is restarted with settings from old config
3. new config-file is written with the new values

It is solved by changing /usr/local/pkg/arpwatch.xml to $int = $_POST['interface'] instead of $config
patch:

--- arpwatch.xml	2012-06-29 14:13:59.000000000 +0200
+++ arpwatch_POST_fix.xml	2012-06-29 14:07:07.000000000 +0200
@@ -91,7 +91,7 @@
 		global $config;
                 conf_mount_rw();
                 config_lock();
-		$int = $config['installedpackages']['arpwatch']['config'][0]['interface'];
+		if($_POST['interface'] != "") { $int = $_POST['interface']; } else { $int = $config['installedpackages']['arpwatch']['config'][0]['interface']; }
 		$int = convert_friendly_interface_to_real_interface_name($int);
 		$start = "/usr/local/sbin/arpwatch -d -i {$int} > /var/log/arpwatch.reports 2>&1 &";
 		$stop = "/usr/bin/killall arpwatch";

info:
package: http://files.pfsense.org/packages/8/All/arpwatch-2.1.a15_6.tbz
system: 2.0.1-RELEASE (i386) built on Mon Dec 12 18:24:17 EST 2011 FreeBSD 8.1-RELEASE-p6 (upgraded from 1.2.3-RELEASE )

MaxFrames

Hi and thank you, you allowed me to solve the first problem (unable to clean the report).
I don't have the other two problems, but I have another issue, like everyone who's using arpwatch on pfsense likely has.
Which is, I need the pfsense box to email me when arpwatch does something.
From the arpwatch logs, I can see that arpwatch is indeed trying to send me an email to notify me of changes to arp.dat, but cannot find /usr/bin/sendmail.
I understand sendmail is not officially available in pfsense.
Can you or anyone explain how (if at all possible) I can install and configure it, or else how can I get arpwatch to send me email?
Thanks

dhatz

Btw, once you test them, you can submit those bug-fixes to the pfsense public repository at GitHub (https://github.com/bsdperimeter/pfsense-packages).

The steps to do this are:

1. open an account at GitHub (if you don't have one already)
2. fork pfsense-packages (or the other repositories as well)
3. make changes
4. open a pull request

phil.davis

I just submitted a pull request and Jimp has merged it. It fixes the "not saving the interface name the first time" problem and makes the install work on 2.1 with the pbi file - the default arp.dat file location had changed and the package code was not aware. Now arp.dat is in /var/log. That also makes it work on nanobsd, where /usr is RO.
Reinstall and confirm it goes.

MaxFrames

I have just reinstalled the package.
The version number did not change (2.1.a15_6).
Reinstalling reintroduced the bug with being unable to clean the report.
I had to edit the php file as per this topic again.

DomeDan

Nice, thank you phil.davis for pushing it to github, I have a github acc but didnt know about that repository.

now its just a few more bugs left  ::)
the mail part is very important, I had this package running on a lan-party last week and forgot about it.
when I checked the report I saw my server's mac-address on 3 ip-adresses, it was because i used linux-vserver but if it had been an arp poisoning I would not have notices untill I got ssl-warnings and slow network :P