Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:GA
arpwatch.20084
arpwatch-2.1a11-tokenring.diff
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File arpwatch-2.1a11-tokenring.diff of Package arpwatch.20084
--- arpwatch-2.1a11/arpwatch.8 +++ arpwatch-2.1a11/arpwatch.8 @@ -47,12 +47,12 @@ .ad .SH DESCRIPTION .B Arpwatch -keeps track for ethernet/ip address pairings. It syslogs activity +keeps track for MAC/IP address pairings. It syslogs activity and reports certain changes via email. .B Arpwatch uses .BR pcap (3) -to listen for arp packets on a local ethernet interface. +to listen for arp packets on a local ethernet/tokenring/fddi interface. .LP The .B -d @@ -62,7 +62,7 @@ .LP The .B -f -flag is used to set the ethernet/ip address database filename. +flag is used to set the MAC/IP address database filename. The default is .IR arp.dat . .LP @@ -106,26 +106,26 @@ .BR arpsnmp (1)): .TP .B "new activity" -This ethernet/ip address pair has been used for the first time six +This MAC/IP address pair has been used for the first time six months or more. .TP .B "new station" -The ethernet address has not been seen before. +The MAC address has not been seen before. .TP .B "flip flop" -The ethernet address has changed from the most recently seen address to +The MAC address has changed from the most recently seen address to the second most recently seen address. -(If either the old or new ethernet address is a DECnet address and it +(If either the old or new MAC address is a DECnet address and it is less than 24 hours, the email version of the report is suppressed.) .TP -.B "changed ethernet address" -The host switched to a new ethernet address. +.B "changed MAC address" +The host switched to a new MAC address. .SH "SYSLOG MESSAGES" Here are some of the syslog messages; note that messages that are reported are also sysloged. .TP -.B "ethernet broadcast" -The mac ethernet address of the host is a broadcast address. +.B "MAC broadcast" +The MAC address of the host is a broadcast address. .TP .B "ip broadcast" The ip address of the host is a broadcast address. @@ -133,15 +133,15 @@ .B "bogon" The source ip address is not local to the local subnet. .TP -.B "ethernet broadcast" -The source mac or arp ethernet address was all ones or all zeros. +.B "MAC broadcast" +The source MAC address was all ones or all zeros. .TP -.B "ethernet mismatch" -The source mac ethernet address didn't match the address inside +.B "MAC mismatch" +The source MAC address didn't match the address inside the arp packet. .TP -.B "reused old ethernet address" -The ethernet address has changed from the most recently seen address to +.B "reused old MAC address" +The MAC address has changed from the most recently seen address to the third (or greater) least recently seen address. (This is similar to a flip flop.) .TP @@ -153,7 +153,7 @@ .nh .nf /usr/operator/arpwatch - default directory -arp.dat - ethernet/ip address database +arp.dat - MAC/IP address database ethercodes.dat - vendor ethernet block list .ad .hy --- arpwatch-2.1a11/arpwatch.c +++ arpwatch-2.1a11/arpwatch.c @@ -26,6 +26,8 @@ "@(#) $Id: arpwatch.c,v 1.63 2000/10/14 02:07:28 leres Exp $ (LBL)"; #endif +#define TOKEN 1 + /* * arpwatch - keep track of ethernet/ip address pairings, report changes */ @@ -74,6 +76,9 @@ #include "db.h" #include "ec.h" #include "fddi.h" +#ifdef TOKEN +#include "toring.h" +#endif #include "file.h" #include "machdep.h" #include "setsignal.h" @@ -135,10 +140,16 @@ int main(int, char **); void process_ether(u_char *, const struct pcap_pkthdr *, const u_char *); void process_fddi(u_char *, const struct pcap_pkthdr *, const u_char *); +#ifdef TOKEN +void process_toring(u_char *, const struct pcap_pkthdr *, const u_char *); +#endif int readsnmp(char *); int snmp_add(u_int32_t, u_char *, time_t, char *); int sanity_ether(struct ether_header *, struct ether_arp *, int); int sanity_fddi(struct fddi_header *, struct ether_arp *, int); +#ifdef TOKEN +int sanity_toring(struct toring_header *, struct ether_arp *, int); +#endif __dead void usage(void) __attribute__((volatile)); int @@ -267,6 +278,7 @@ swapped = pcap_is_swapped(pd); } else { snaplen = max(sizeof(struct ether_header), +//FIXME sizeof(struct fddi_header)) + sizeof(struct ether_arp); timeout = 1000; pd = pcap_open_live(interface, snaplen, 1, timeout, errbuf); @@ -286,10 +298,14 @@ setgid(getgid()); setuid(getuid()); - /* Must be ethernet or fddi */ + /* Must be ethernet or fddi or tokenring */ linktype = pcap_datalink(pd); - if (linktype != DLT_EN10MB && linktype != DLT_FDDI) { - syslog(LOG_ERR, "Link layer type %d not ethernet or fddi", + if (linktype != DLT_EN10MB && linktype != DLT_FDDI +#ifdef TOKEN +&& linktype != DLT_IEEE802 +#endif + ) { + syslog(LOG_ERR, "Link layer type %d not ethernet, fddi or tokenring", linktype); exit(1); } @@ -337,7 +353,11 @@ case DLT_FDDI: status = pcap_loop(pd, 0, process_fddi, NULL); break; - +#ifdef TOKEN + case DLT_IEEE802: + status = pcap_loop(pd, 0, process_toring, NULL); + break; +#endif default: syslog(LOG_ERR, "bad linktype %d (can't happen)", linktype); exit(1); @@ -393,13 +413,13 @@ /* Watch for ethernet broadcast */ if (MEMCMP(sea, zero, 6) == 0 || MEMCMP(sea, allones, 6) == 0 || MEMCMP(sha, zero, 6) == 0 || MEMCMP(sha, allones, 6) == 0) { - dosyslog(LOG_INFO, "ethernet broadcast", sia, sea, sha); + dosyslog(LOG_INFO, "MAC broadcast (eth)", sia, sea, sha); return; } /* Double check ethernet addresses */ if (MEMCMP(sea, sha, 6) != 0) { - dosyslog(LOG_INFO, "ethernet mismatch", sia, sea, sha); + dosyslog(LOG_INFO, "MAC mismatch (eth)", sia, sea, sha); return; } @@ -542,13 +562,13 @@ /* Watch for ethernet broadcast */ if (MEMCMP(sea, zero, 6) == 0 || MEMCMP(sea, allones, 6) == 0 || MEMCMP(sha, zero, 6) == 0 || MEMCMP(sha, allones, 6) == 0) { - dosyslog(LOG_INFO, "ethernet broadcast", sia, sea, sha); + dosyslog(LOG_INFO, "MAC broadcast (fddi)", sia, sea, sha); return; } /* Double check ethernet addresses */ if (MEMCMP(sea, sha, 6) != 0) { - dosyslog(LOG_INFO, "ethernet mismatch", sia, sea, sha); + dosyslog(LOG_INFO, "MAC mismatch (fddi)", sia, sea, sha); return; } @@ -639,6 +659,71 @@ return(1); } +#ifdef TOKEN +void +process_toring(register u_char *u, register const struct pcap_pkthdr *h, + register const u_char *p) +{ + register struct toring_header *th; + register struct ether_arp *ea; + register u_char *sea, *sha; + register time_t t; + u_int32_t sia; + + th = (struct toring_header *)p; + ea = (struct ether_arp *)(th + 1); + + if (swapped) { + bit_reverse(th->src, 6); + bit_reverse(th->dst, 6); + } + if (!sanity_toring(th, ea, h->caplen)) + return; + + /* Source MAC hardware ethernet address */ + sea = (u_char *)th->src; + + /* Source ARP ethernet address */ + sha = (u_char *)SHA(ea); + + /* Source ARP ip address */ + BCOPY(SPA(ea), &sia, 4); + + /* Watch for bogons */ + if (isbogon(sia)) { + dosyslog(LOG_INFO, "bogon", sia, sea, sha); + return; + } + + /* Watch for broadcast */ + if (MEMCMP(sea, zero, 6) == 0 || MEMCMP(sea, allones, 6) == 0 || + MEMCMP(sha, zero, 6) == 0 || MEMCMP(sha, allones, 6) == 0) { + dosyslog(LOG_INFO, "MAC broadcast (tr)", sia, sea, sha); + return; + } + + /* Double check tokenring addresses */ + if (MEMCMP(sea, sha, 6) != 0) { + dosyslog(LOG_INFO, "MAC mismatch (tr)", sia, sea, sha); + return; + } + + /* Got a live one */ + t = h->ts.tv_sec; + can_checkpoint = 0; + if (!ent_add(sia, sea, t, NULL)) + syslog(LOG_ERR, "ent_add(%s, %s, %ld) failed", + intoa(sia), e2str(sea), t); + can_checkpoint = 1; +} +int +sanity_toring(register struct toring_header *th, register struct ether_arp *ea, + register int len) +{ + return (1); +} +#endif + int addnet(register const char *str) { --- arpwatch-2.1a11/db.c +++ arpwatch-2.1a11/db.c @@ -150,7 +150,7 @@ /* An old entry comes to life */ e2 = ap->elist[0]->e; t2 = ap->elist[0]->t; - dosyslog(LOG_NOTICE, "reused old ethernet address", + dosyslog(LOG_NOTICE, "reused old MAC address", a, e, e2); /* Shift entries down */ len = i * sizeof(ap->elist[0]); @@ -165,7 +165,7 @@ /* New ether address */ e2 = ap->elist[0]->e; t2 = ap->elist[0]->t; - report("changed ethernet address", a, e, e2, &t, &t2); + report("changed MAC address", a, e, e2, &t, &t2); /* Make room at head of list */ alist_alloc(ap); len = ap->ecount * sizeof(ap->elist[0]); --- arpwatch-2.1a11/report.c +++ arpwatch-2.1a11/report.c @@ -312,19 +312,19 @@ (void)putc('\n', f); (void)fprintf(f, fmt, "hostname", hn); (void)fprintf(f, fmt, "ip address", intoa(a)); - (void)fprintf(f, fmt, "ethernet address", e2str(e1)); + (void)fprintf(f, fmt, "mac address", e2str(e1)); if ((cp = ec_find(e1)) == NULL) cp = unknown; - (void)fprintf(f, fmt, "ethernet vendor", cp); + (void)fprintf(f, fmt, "mac vendor", cp); if (hn != unknown && gethinfo(hn, cpu, sizeof(cpu), os, sizeof(os))) { (void)sprintf(buf, "%s %s", cpu, os); (void)fprintf(f, fmt, "dns cpu & os", buf); } if (e2) { - (void)fprintf(f, fmt, "old ethernet address", e2str(e2)); + (void)fprintf(f, fmt, "old mac address", e2str(e2)); if ((cp = ec_find(e2)) == NULL) cp = unknown; - (void)fprintf(f, fmt, "old ethernet vendor", cp); + (void)fprintf(f, fmt, "old mac vendor", cp); } if (t1p) (void)fprintf(f, fmt, "timestamp", fmtdate(*t1p)); --- arpwatch-2.1a11/toring.h +++ arpwatch-2.1a11/toring.h @@ -0,0 +1,26 @@ +/* Support for tokenring */ + +/* + * 802.2 specific declarations + */ +//struct llchdr { +// u_char llc_dsap; +// u_char llc_ssap; +// u_char llc_ctl; +//}; +// +//struct snaphdr { +// u_char snap_oid[3]; +// u_char snap_type[2]; +//}; + +struct toring_header { + u_char acc_ctl; + u_char frame_ctl; + u_char dst[6]; + u_char src[6]; + struct llchdr llc; + struct snaphdr snap; +}; + +
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor