[ipv6hackers] IPv6/IPv4 address monitoring tool
Julius Kriukas
julius.kriukas at gmail.com
Wed Jul 4 09:47:00 CEST 2012
Hi,
I wanted to share with you a linux tool for IPv6 and IPv4 address monitoring:
https://github.com/fln/addrwatch
The main idea behind the tool is to replace arpwatch and ndpmon combo
with one simple tool that logs IPv4/IPv6 addresses and does nothing
more. It does not monitor Router Advertisements.
Key points about this tool:
*) IPv4 and IPv6 address logging.
*) Multiple network interfaces per daemon.
*) Output to stdout, plain text file, syslog, sqlite3 database.
*) History preserving output/logging.
*) It saves VLAN tags and can be used with trunk interfaces.
We are currently using it to monitor university campus networks. The
main purpose of monitoring is to be able to tie temporary IPv6
addresses to specific host in case of security incident.
Example of tool output (timestamp, iface, vlan, mac, ip, source):
root at luodis:~# addrwatch
addrwatch: DEBUG: Duplicate entries ratelimiting disabled
addrwatch: DEBUG: PROMISC mode enabled
addrwatch: DEBUG: Opened interface eth0 (Ethernet)
1341387811 eth0 500 70:ca:9b:d9:cd:94 172.16.255.22 ARP_REP
1341387812 eth0 500 70:ca:9b:d9:d4:74 172.16.255.9 ARP_REP
1341387812 eth0 250 00:01:6c:e4:c8:ea 192.168.3.104 ARP_REQ
1341387812 eth0 502 00:16:3e:72:c7:01 fe80::216:3eff:fe72:c701 ND_NS
1341387812 eth0 500 44:2b:03:eb:4c:52 172.16.255.108 ARP_REP
1341387812 eth0 250 00:13:10:5c:b4:43 192.168.3.254 ARP_REQ
1341387813 eth0 500 70:ca:9b:d9:cf:28 172.16.255.104 ARP_REP
Any feedback would be appreciated.
--
Julius Kriukas
More information about the Ipv6hackers
mailing list