Security Basics mailing list archives

RE: arpwatch

From: Tony Kava <securityfocus () pottcounty com>
Date: Thu, 11 Sep 2003 14:16:33 -0500

Arpwatch does not require that you use a monitoring port or even that you
have a managed switch in your network.  It builds its tables from broadcast
traffic that you will see anywhere on an unmanaged network.  If you network
uses VLANs this will of course change the situation, but otherwise you can
run it anywhere even in a switched environment.

--
Tony Kava
Network Administrator
Pottawattamie County, Iowa



-----Original Message-----
From: Zachary Mutrux [mailto:zmutrux () compumentor org]
Sent: Thursday, 11 September, 2003 10:59
To: Security-Basics
Subject: RE: arpwatch


I think zidan's question is not "what does arpwatch do?", but "how can I
intercept arp traffic when my network is switched?" Read more carefully
before unleashing the rant, J.

zidan, find the documentation for your switch and see if it has a monitoring
port that receives all traffic. On better switches you can even define which
port is the monitoring port.

Zac

-----Original Message-----
From: zidan [mailto:zidan00 () fastmail fm]
Sent: Wednesday, September 10, 2003 10:33 AM
To: security-basics () securityfocus com
Subject: arpwatch

hello,

I have recently installed arpwatch on one of our servers. I understood
arpwatch "learns" arp replies, but since arp replies are destined to a
specific MAC and
this is a switched network, how can arpwatch see all arp replies ?

-Z



---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------

---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------

Current thread:

Re: arpwatch, (continued)
- - - Re: arpwatch Mikkel Christensen (Sep 12)
- Re: arpwatch Gunter Luyten (Sep 11)
- Re: arpwatch Gunter Luyten (Sep 11)
- RE: arpwatch Zachary Mutrux (Sep 11)
  - Logical access controle to network segments and boxes MeaCulpa (Sep 11)
    - Re: Logical access controle to network segments and boxes Tim Syratt (Sep 11)
- Re: arpwatch Mikkel Christensen (Sep 11)
- RE: Arpwatch J. Oquendo (Sep 11)
- RE: Arpwatch zidan (Sep 11)
- Re: arpwatch zidan (Sep 11)
- RE: arpwatch Tony Kava (Sep 11)
- RE: arpwatch Tony Kava (Sep 11)
- RE: arpwatch Kim Oppalfens (Sep 12)
  - Re: arpwatch B. McAninch (Sep 15)
- RE: arpwatch zidan (Sep 15)
  - RE: arpwatch David Gillett (Sep 15)