Bug 85389 - arpwatch does not correctly determine vendor information for ethernet nics
Summary: arpwatch does not correctly determine vendor information for ethernet nics
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: tcpdump
Version: 7.3
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Harald Hoyer
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2003-02-28 23:27 UTC by Ken Snider
Modified: 2007-04-18 16:51 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2004-02-05 15:56:03 UTC

Attachments (Terms of Use)

Description Ken Snider 2003-02-28 23:27:26 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3b) Gecko/20030211

Description of problem:
Just started arpwatch on my network, noticed the following:

            hostname: dwsp-10-0-0-21-tor-dcn.dw
          ip address:
    ethernet address: 0:3:ba:5:19:50
     ethernet vendor: <unknown>
           timestamp: Friday, February 28, 2003 22:56:04 +0000

That record *is* in ethercodes.dat:

[root@common arpwatch]# cat ethercodes.dat | grep '0:3:ba'
0:3:ba  Sun Microsystems

..and the file itslef is readable by arpwatch:

[root@common arpwatch]# ls -l ethercodes.dat
-r--r--r--    1 pcap     pcap       186208 Feb 28 23:03 ethercodes.dat

Further, only *some* vendor ID's are not decoded. Others are decoded just fine.

??? :)

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. install arpwatch rpm
2. /etc/init.d/arpwatch start
3. ping server with host with the above mac vendor

Actual Results:  <unknown> as vendor

Expected Results:  Sun Microsystems as vendor

Comment 1 Harald Hoyer 2003-03-10 15:30:10 UTC
really strange :)

Comment 2 Harald Hoyer 2004-02-05 14:50:42 UTC
does it work with the current arpwatch?

Comment 3 Ken Snider 2004-02-05 15:56:03 UTC
Seems to! :)

Note You need to log in before you can comment on or make changes to this bug.