Bug 58189 - RFE: MAC-centric arpwatch instead of IP-centric
Summary: RFE: MAC-centric arpwatch instead of IP-centric
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: tcpdump
Version: 7.2
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Harald Hoyer
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2002-01-10 19:55 UTC by kenneth_porter
Modified: 2008-05-01 15:38 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2003-03-10 15:39:18 UTC
Embargoed:

Attachments (Terms of Use)

Description kenneth_porter 2002-01-10 19:55:52 UTC 
Arpwatch messages currently report changes in Ethernet address, assuming that a
host's IP address remains stable. In a network where the MAC remains stable and
the IP address changes (eg. DHCP), it would be more useful to receive reports
that use the MAC as the key and report changes in the associated IP address.
This should be a runtime option.
Comment 1 Gilbert E. Detillieux 2002-07-31 20:34:06 UTC 
Perhaps this could be useful, but only as an option, and not enabled by default!

However, be prepared for a lot of noise if you have any virtual hosts on your
net, where it's common and perfectly fine to have multiple IP addresses for a
given MAC address.  Also, depending on DHCP configuration, you may have a lot of
changes in IP address for a given MAC address, which wouldn't necessarily be
very interesting.
Comment 2 Harald Hoyer 2003-03-10 15:39:18 UTC 
please report such things rfe's upstream...
Note You need to log in before you can comment on or make changes to this bug.