Hello I am looking for an ARP table monitoring tool that can generate an alert (SNMP trap or SMTP) based on ARP table changes. Does NetDB provide this type of alert functionality?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
At this time, the only functionality along those lines is the macwatch utility in it’s own folder. That was a contribution someone made but it works well. As far as ARP table changes, the system of course tracks all changes but does not have any alert functionality at this time.
What exact functionality were you looking for? Did you want to know about new devices on the network, or any change in the existing ARP tables? This would likely be implemented as a cron script that can take action when detected, so you could then generate a trap or do whatever when a change was detected.
We have 60k ARP entries on our network daily, so if I knew about everyone I’d go crazy :) Let me know some detail, I’m sure it’s possible.
Hello I am looking for an ARP table monitoring tool that can generate an alert (SNMP trap or SMTP) based on ARP table changes. Does NetDB provide this type of alert functionality?
Hi Jonathan thanks for the reply. We need to be able to detect when new network devices appear on specific Ethernet switches in our environment. Ideally we'd use NetDB and other tools (e.g. MAC/arpwatch) to help detect deltas (which will be very rare) and generate some type of alert. You think macwatch/arpwatc could review a previous ARP table of a specific switch and throw an errorlevel which a script could execute options against?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Does it matter if the devices have moved switches, or do you just want alerts when a new device appears on the network on specific switches? It’s quite easy to catch new devices on specific switches, but detecting all moves would be a bit more complicated.
Hi Jonathan thanks for the reply. We need to be able to detect when new network devices appear on specific Ethernet switches in our environment. Ideally we'd use NetDB and other tools (e.g. MAC/arpwatch) to help detect deltas (which will be very rare) and generate some type of alert. You think macwatch/arpwatc could review a previous ARP table of a specific switch and throw an errorlevel which a script could execute options against?
Jonathan the devices are static (wired desktops) so movement isn't typical although if a false positive alert were generated by a PC move this could be accommodated. So yes just alerts generated by new MACs showing on switches would be sufficient. Thank you for thinking through this with me,
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I would try something like this for now. At the moment, 1 hour increments is the best granularity I offer, but with a quick tweak we could add a minute option. If you schedule this on the hour in cron, it should generate an email whenever a new mac address is detected:
Jonathan the devices are static (wired desktops) so movement isn't typical although if a false positive alert were generated by a PC move this could be accommodated. So yes just alerts generated by new MACs showing on switches would be sufficient. Thank you for thinking through this with me,
One more thing, drop the -B 1 from grep, I was trying to keep the header but that would take a little more tweaking. Either way, it’s pretty easy to hack together this functionality with a one liner.
I would try something like this for now. At the moment, 1 hour increments is the best granularity I offer, but with a quick tweak we could add a minute option. If you schedule this on the hour in cron, it should generate an email whenever a new mac address is detected:
netdb -nm -h 1 -c | grep -v "MAC Address," -B 1 | mail -E "set nonullbody" -s 'New MAC Address Detected' youremail@domain.com youemail@domain.com youemail@domain.com
If you would rather generate a trap or whatever, instead of passing that output to mail, you could pass it off to another script.
Let me know how that goes. I’m taking off this afternoon for the weekend but I’ll be working some early next week if you need some tweaks.
Jonathan the devices are static (wired desktops) so movement isn't typical although if a false positive alert were generated by a PC move this could be accommodated. So yes just alerts generated by new MACs showing on switches would be sufficient. Thank you for thinking through this with me,
Oops, sorry for the repeated emails, but the -B 1 does work after all and preserves the header if you want that as well. If not, just drop the -B 1 and it will strip the header, giving you just the CSV output of new macs.
One more thing, drop the -B 1 from grep, I was trying to keep the header but that would take a little more tweaking. Either way, it’s pretty easy to hack together this functionality with a one liner.
Jonathan
On Dec 18, 2014, at 8:49 AM, Jonathan Yantis yantisj@users.sf.net yantisj@users.sf.net wrote:
Rob,
I would try something like this for now. At the moment, 1 hour increments is the best granularity I offer, but with a quick tweak we could add a minute option. If you schedule this on the hour in cron, it should generate an email whenever a new mac address is detected:
netdb -nm -h 1 -c | grep -v "MAC Address," -B 1 | mail -E "set nonullbody" -s 'New MAC Address Detected' youremail@domain.com youemail@domain.com youemail@domain.com youemail@domain.com
If you would rather generate a trap or whatever, instead of passing that output to mail, you could pass it off to another script.
Let me know how that goes. I’m taking off this afternoon for the weekend but I’ll be working some early next week if you need some tweaks.
Jonathan
On Dec 17, 2014, at 7:25 PM, RobDG robdgibson@users.sf.net robdgibson@users.sf.net robdgibson@users.sf.net wrote:
Jonathan the devices are static (wired desktops) so movement isn't typical although if a false positive alert were generated by a PC move this could be accommodated. So yes just alerts generated by new MACs showing on switches would be sufficient. Thank you for thinking through this with me,
Hi Jonathan thanks for the reply. We need to be able to detect when new network devices appear on specific Ethernet switches in our environment. Ideally we'd use NetDB and other tools (e.g. MAC/arpwatch) to help detect deltas (which will be very rare) and generate some type of alert. You think macwatch/arpwatc could review a previous ARP table of a specific switch and throw an errorlevel which a script could execute options against?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hello I am looking for an ARP table monitoring tool that can generate an alert (SNMP trap or SMTP) based on ARP table changes. Does NetDB provide this type of alert functionality?
Rob,
At this time, the only functionality along those lines is the macwatch utility in it’s own folder. That was a contribution someone made but it works well. As far as ARP table changes, the system of course tracks all changes but does not have any alert functionality at this time.
What exact functionality were you looking for? Did you want to know about new devices on the network, or any change in the existing ARP tables? This would likely be implemented as a cron script that can take action when detected, so you could then generate a trap or do whatever when a change was detected.
We have 60k ARP entries on our network daily, so if I knew about everyone I’d go crazy :) Let me know some detail, I’m sure it’s possible.
Jonathan
Hi Jonathan thanks for the reply. We need to be able to detect when new network devices appear on specific Ethernet switches in our environment. Ideally we'd use NetDB and other tools (e.g. MAC/arpwatch) to help detect deltas (which will be very rare) and generate some type of alert. You think macwatch/arpwatc could review a previous ARP table of a specific switch and throw an errorlevel which a script could execute options against?
Rob,
Does it matter if the devices have moved switches, or do you just want alerts when a new device appears on the network on specific switches? It’s quite easy to catch new devices on specific switches, but detecting all moves would be a bit more complicated.
Thanks
Jonathan the devices are static (wired desktops) so movement isn't typical although if a false positive alert were generated by a PC move this could be accommodated. So yes just alerts generated by new MACs showing on switches would be sufficient. Thank you for thinking through this with me,
Rob,
I would try something like this for now. At the moment, 1 hour increments is the best granularity I offer, but with a quick tweak we could add a minute option. If you schedule this on the hour in cron, it should generate an email whenever a new mac address is detected:
netdb -nm -h 1 -c | grep -v "MAC Address," -B 1 | mail -E "set nonullbody" -s 'New MAC Address Detected' youremail@domain.com youemail@domain.com
If you would rather generate a trap or whatever, instead of passing that output to mail, you could pass it off to another script.
Let me know how that goes. I’m taking off this afternoon for the weekend but I’ll be working some early next week if you need some tweaks.
Jonathan
One more thing, drop the -B 1 from grep, I was trying to keep the header but that would take a little more tweaking. Either way, it’s pretty easy to hack together this functionality with a one liner.
Jonathan
Oops, sorry for the repeated emails, but the -B 1 does work after all and preserves the header if you want that as well. If not, just drop the -B 1 and it will strip the header, giving you just the CSV output of new macs.
Jonathan
Jonathan thanks much! I will work on testing this over the next few weeks but with the holidays it may take a another week or so.
Hi Jonathan thanks for the reply. We need to be able to detect when new network devices appear on specific Ethernet switches in our environment. Ideally we'd use NetDB and other tools (e.g. MAC/arpwatch) to help detect deltas (which will be very rare) and generate some type of alert. You think macwatch/arpwatc could review a previous ARP table of a specific switch and throw an errorlevel which a script could execute options against?