From: Humes, D. G. <Dav...@jh...> - 2005-11-30 14:01:30
|
Maybe you misunderstand me. I'm not saying these entries should not be in the database. They should remain in the database until expired out based on the netdisco.conf settings, but with the active flag set to false. You can still see them if you just check the Archived Data box when doing a node search. --Dave > -----Original Message----- > From: net...@li...=20 > [mailto:net...@li...] On Behalf=20 > Of Gaby Hoffmann > Sent: Tuesday, November 29, 2005 7:11 PM > To: net...@li... > Subject: Re: [Netdisco] Node archiving - possible bug >=20 >=20 > I don't consider this a bug, but a useful feature. >=20 > It shows instantly all those trying to do fishy things and=20 > avoid detection by constantly changing IP numbers or using=20 > virtual IP numbers in addition to their official ones. >=20 > Cheers. >=20 > Gaby >=20 > Humes, David G. wrote: > > Periodically we see results like the following from doing a node=20 > > search. > >=20 > > 00:08:74:1f:a4:56 Dell Computer Corp. IP -> MAC > > 128.244.49.70 (RUSSEMW1-WD1.dom1) Sep 26 08:38 2005 Nov 29 > > 08:53 2005 > > Switch Port 128.244.1.37 [ 4.41 ] (b25-153-c6513) > > Feb 21 16:04 2005 Nov 29 09:08 2005 > > MAC -> IP 128.244.125.213 ([No DNS]) Dec 15 > > 16:37 2004 Sep 14 19:42 2005 > >=20 > > The last line is what troubles me because the search did=20 > not request=20 > > archived data. So, here's what's in the node_ip table. > >=20 > > netdisco=3D> select * from node_ip where mac=3D'00:08:74:1f:a4:56'; > > mac | ip | active | time_first > > | time_last =20 > >=20 > -------------------+-----------------+--------+----------------------- > > -------------------+-----------------+--------+-- > > ---+--------------------- > > 00:08:74:1f:a4:56 | 128.244.49.70 | t | 2005-09-26 > > 08:38:08.482752 | 2005-11-29 08:53:10 > > 00:08:74:1f:a4:56 | 128.244.125.213 | t | 2004-12-15 > > 16:37:44.462708 | 2005-09-14 19:42:02 > > (2 rows) > >=20 > > The second record appears to be old and probably should have the=20 > > active flag set to false. That node is not reachable and there's=20 > > currently no arp cache entry for that ip address. An audit=20 > of the two=20 > > ip address shows that the node was moved from one dhcp subnet to=20 > > another on 9/26. So, the arpnipper should have seen that the mac=20 > > address was associated with another ip and flagged the=20 > second entry inactive. > >=20 > > Here's the code in netdisco.pm for adding an arp cache entry to the=20 > > database. > >=20 > > sub add_arp { > > my ($mac,$ip) =3D @_; > > my $dbh =3D &dbh; > >=20 > > # Set the active flag to false to archive all other instances > > # of this IP address > > sql_do(qq/UPDATE node_ip SET active =3D 'f' WHERE ip=3D'$ip'/); > >=20 > > # Add this entry to node table. > > my %hash =3D ('mac' =3D> $mac, 'ip' =3D> $ip); > > insert_or_update('node_ip', \%hash, > > { 'time_last' =3D> scalar(localtime), 'active' =3D> 1,=20 > %hash }); } > >=20 > > When a node is moved to a new subnet, the next time the=20 > arpnipper runs=20 > > it will only see the new ip address. So, it won't be able=20 > to set the=20 > > old ip address inactive and it will remain in that state until it's=20 > > eventually expired out of the database. I'm probably missing=20 > > something here, but it seems as though it should be setting=20 > all other=20 > > instances of the mac address to inactive as opposed to the=20 > ip address. =20 > > Has anyone else observed this? Does this seem reasonable? > >=20 > > Thanks. > >=20 > > --Dave > >=20 > > Dave Humes > > Johns Hopkins University Applied Physics Laboratory=20 > Telecommunications=20 > > Group (ITC) dav...@jh... > > 443-778-6651 > >=20 > >=20 > >=20 > >=20 > >=20 > >=20 > >=20 >=20 >=20 > --=20 > ______________________________________________________________ > _____________ > Gaby Hoffmann E-Mail : Gab...@an... > ANU IT Security, DOI Phone : (02) 6125 3264=20 > Mob:0410 348 254 > Leonard Huxley Building #56 Fax : (02) 6125 8199=20 > internal:58199 > Australian National University Canberra, ACT 0200 >=20 >=20 > ------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. Do you grep=20 > through log files for problems? Stop! Download the new AJAX=20 > search engine that makes searching your log files as easy as=20 > surfing the web. DOWNLOAD SPLUNK!=20 > http://ads.osdn.com/?ad_id=3D7637&alloc_id=3D16865> &op=3Dclick >=20 > _______________________________________________ >=20 > Netdisco mailing list > net...@li... > https://lists.sourceforge.net/lists/listinfo/netdisco-users >=20 |