[ipv6hackers] IPv6/IPv4 address monitoring tool

Julius Kriukas julius.kriukas at gmail.com
Wed Jul 4 09:47:00 CEST 2012


I wanted to share with you a linux tool for IPv6 and IPv4 address monitoring:

The main idea behind the tool is to replace arpwatch and ndpmon combo
with one simple tool that logs IPv4/IPv6 addresses and does nothing
more. It does not monitor Router Advertisements.

Key points about this tool:
*) IPv4 and IPv6 address logging.
*) Multiple network interfaces per daemon.
*) Output to stdout, plain text file, syslog, sqlite3 database.
*) History preserving output/logging.
*) It saves VLAN tags and can be used with trunk interfaces.

We are currently using it to monitor university campus networks. The
main purpose of monitoring is to be able to tie temporary IPv6
addresses to specific host in case of security incident.

Example of tool output (timestamp, iface, vlan, mac, ip, source):
root at luodis:~# addrwatch
addrwatch: DEBUG: Duplicate entries ratelimiting disabled
addrwatch: DEBUG: PROMISC mode enabled
addrwatch: DEBUG: Opened interface eth0 (Ethernet)
1341387811 eth0 500 70:ca:9b:d9:cd:94 ARP_REP
1341387812 eth0 500 70:ca:9b:d9:d4:74 ARP_REP
1341387812 eth0 250 00:01:6c:e4:c8:ea ARP_REQ
1341387812 eth0 502 00:16:3e:72:c7:01 fe80::216:3eff:fe72:c701 ND_NS
1341387812 eth0 500 44:2b:03:eb:4c:52 ARP_REP
1341387812 eth0 250 00:13:10:5c:b4:43 ARP_REQ
1341387813 eth0 500 70:ca:9b:d9:cf:28 ARP_REP

Any feedback would be appreciated.

Julius Kriukas

More information about the Ipv6hackers mailing list