Bug 85389

Summary: arpwatch does not correctly determine vendor information for ethernet nics
Product: [Retired] Red Hat Linux Reporter: Ken Snider <ksnider>
Component: tcpdumpAssignee: Harald Hoyer <harald>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.3   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-02-05 15:56:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Ken Snider 2003-02-28 23:27:26 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3b) Gecko/20030211

Description of problem:
Just started arpwatch on my network, noticed the following:

            hostname: dwsp-10-0-0-21-tor-dcn.dw
          ip address:
    ethernet address: 0:3:ba:5:19:50
     ethernet vendor: <unknown>
           timestamp: Friday, February 28, 2003 22:56:04 +0000

That record *is* in ethercodes.dat:

[root@common arpwatch]# cat ethercodes.dat | grep '0:3:ba'
0:3:ba  Sun Microsystems

..and the file itslef is readable by arpwatch:

[root@common arpwatch]# ls -l ethercodes.dat
-r--r--r--    1 pcap     pcap       186208 Feb 28 23:03 ethercodes.dat

Further, only *some* vendor ID's are not decoded. Others are decoded just fine.

??? :)

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. install arpwatch rpm
2. /etc/init.d/arpwatch start
3. ping server with host with the above mac vendor

Actual Results:  <unknown> as vendor

Expected Results:  Sun Microsystems as vendor

Comment 1 Harald Hoyer 2003-03-10 15:30:10 UTC
really strange :)

Comment 2 Harald Hoyer 2004-02-05 14:50:42 UTC
does it work with the current arpwatch?

Comment 3 Ken Snider 2004-02-05 15:56:03 UTC
Seems to! :)