File arpwatch-2.1a11-tokenring.diff of Package arpwatch
--- arpwatch-2.1a11/arpwatch.8
+++ arpwatch-2.1a11/arpwatch.8
@@ -47,12 +47,12 @@
.ad
.SH DESCRIPTION
.B Arpwatch
-keeps track for ethernet/ip address pairings. It syslogs activity
+keeps track for MAC/IP address pairings. It syslogs activity
and reports certain changes via email.
.B Arpwatch
uses
.BR pcap (3)
-to listen for arp packets on a local ethernet interface.
+to listen for arp packets on a local ethernet/tokenring/fddi interface.
.LP
The
.B -d
@@ -62,7 +62,7 @@
.LP
The
.B -f
-flag is used to set the ethernet/ip address database filename.
+flag is used to set the MAC/IP address database filename.
The default is
.IR arp.dat .
.LP
@@ -106,26 +106,26 @@
.BR arpsnmp (1)):
.TP
.B "new activity"
-This ethernet/ip address pair has been used for the first time six
+This MAC/IP address pair has been used for the first time six
months or more.
.TP
.B "new station"
-The ethernet address has not been seen before.
+The MAC address has not been seen before.
.TP
.B "flip flop"
-The ethernet address has changed from the most recently seen address to
+The MAC address has changed from the most recently seen address to
the second most recently seen address.
-(If either the old or new ethernet address is a DECnet address and it
+(If either the old or new MAC address is a DECnet address and it
is less than 24 hours, the email version of the report is suppressed.)
.TP
-.B "changed ethernet address"
-The host switched to a new ethernet address.
+.B "changed MAC address"
+The host switched to a new MAC address.
.SH "SYSLOG MESSAGES"
Here are some of the syslog messages;
note that messages that are reported are also sysloged.
.TP
-.B "ethernet broadcast"
-The mac ethernet address of the host is a broadcast address.
+.B "MAC broadcast"
+The MAC address of the host is a broadcast address.
.TP
.B "ip broadcast"
The ip address of the host is a broadcast address.
@@ -133,15 +133,15 @@
.B "bogon"
The source ip address is not local to the local subnet.
.TP
-.B "ethernet broadcast"
-The source mac or arp ethernet address was all ones or all zeros.
+.B "MAC broadcast"
+The source MAC address was all ones or all zeros.
.TP
-.B "ethernet mismatch"
-The source mac ethernet address didn't match the address inside
+.B "MAC mismatch"
+The source MAC address didn't match the address inside
the arp packet.
.TP
-.B "reused old ethernet address"
-The ethernet address has changed from the most recently seen address to
+.B "reused old MAC address"
+The MAC address has changed from the most recently seen address to
the third (or greater) least recently seen address.
(This is similar to a flip flop.)
.TP
@@ -153,7 +153,7 @@
.nh
.nf
/usr/operator/arpwatch - default directory
-arp.dat - ethernet/ip address database
+arp.dat - MAC/IP address database
ethercodes.dat - vendor ethernet block list
.ad
.hy
--- arpwatch-2.1a11/arpwatch.c
+++ arpwatch-2.1a11/arpwatch.c
@@ -26,6 +26,8 @@
"@(#) $Id: arpwatch.c,v 1.63 2000/10/14 02:07:28 leres Exp $ (LBL)";
#endif
+#define TOKEN 1
+
/*
* arpwatch - keep track of ethernet/ip address pairings, report changes
*/
@@ -74,6 +76,9 @@
#include "db.h"
#include "ec.h"
#include "fddi.h"
+#ifdef TOKEN
+#include "toring.h"
+#endif
#include "file.h"
#include "machdep.h"
#include "setsignal.h"
@@ -135,10 +140,16 @@
int main(int, char **);
void process_ether(u_char *, const struct pcap_pkthdr *, const u_char *);
void process_fddi(u_char *, const struct pcap_pkthdr *, const u_char *);
+#ifdef TOKEN
+void process_toring(u_char *, const struct pcap_pkthdr *, const u_char *);
+#endif
int readsnmp(char *);
int snmp_add(u_int32_t, u_char *, time_t, char *);
int sanity_ether(struct ether_header *, struct ether_arp *, int);
int sanity_fddi(struct fddi_header *, struct ether_arp *, int);
+#ifdef TOKEN
+int sanity_toring(struct toring_header *, struct ether_arp *, int);
+#endif
__dead void usage(void) __attribute__((volatile));
int
@@ -267,6 +278,7 @@
swapped = pcap_is_swapped(pd);
} else {
snaplen = max(sizeof(struct ether_header),
+//FIXME
sizeof(struct fddi_header)) + sizeof(struct ether_arp);
timeout = 1000;
pd = pcap_open_live(interface, snaplen, 1, timeout, errbuf);
@@ -286,10 +298,14 @@
setgid(getgid());
setuid(getuid());
- /* Must be ethernet or fddi */
+ /* Must be ethernet or fddi or tokenring */
linktype = pcap_datalink(pd);
- if (linktype != DLT_EN10MB && linktype != DLT_FDDI) {
- syslog(LOG_ERR, "Link layer type %d not ethernet or fddi",
+ if (linktype != DLT_EN10MB && linktype != DLT_FDDI
+#ifdef TOKEN
+&& linktype != DLT_IEEE802
+#endif
+ ) {
+ syslog(LOG_ERR, "Link layer type %d not ethernet, fddi or tokenring",
linktype);
exit(1);
}
@@ -337,7 +353,11 @@
case DLT_FDDI:
status = pcap_loop(pd, 0, process_fddi, NULL);
break;
-
+#ifdef TOKEN
+ case DLT_IEEE802:
+ status = pcap_loop(pd, 0, process_toring, NULL);
+ break;
+#endif
default:
syslog(LOG_ERR, "bad linktype %d (can't happen)", linktype);
exit(1);
@@ -393,13 +413,13 @@
/* Watch for ethernet broadcast */
if (MEMCMP(sea, zero, 6) == 0 || MEMCMP(sea, allones, 6) == 0 ||
MEMCMP(sha, zero, 6) == 0 || MEMCMP(sha, allones, 6) == 0) {
- dosyslog(LOG_INFO, "ethernet broadcast", sia, sea, sha);
+ dosyslog(LOG_INFO, "MAC broadcast (eth)", sia, sea, sha);
return;
}
/* Double check ethernet addresses */
if (MEMCMP(sea, sha, 6) != 0) {
- dosyslog(LOG_INFO, "ethernet mismatch", sia, sea, sha);
+ dosyslog(LOG_INFO, "MAC mismatch (eth)", sia, sea, sha);
return;
}
@@ -542,13 +562,13 @@
/* Watch for ethernet broadcast */
if (MEMCMP(sea, zero, 6) == 0 || MEMCMP(sea, allones, 6) == 0 ||
MEMCMP(sha, zero, 6) == 0 || MEMCMP(sha, allones, 6) == 0) {
- dosyslog(LOG_INFO, "ethernet broadcast", sia, sea, sha);
+ dosyslog(LOG_INFO, "MAC broadcast (fddi)", sia, sea, sha);
return;
}
/* Double check ethernet addresses */
if (MEMCMP(sea, sha, 6) != 0) {
- dosyslog(LOG_INFO, "ethernet mismatch", sia, sea, sha);
+ dosyslog(LOG_INFO, "MAC mismatch (fddi)", sia, sea, sha);
return;
}
@@ -639,6 +659,71 @@
return(1);
}
+#ifdef TOKEN
+void
+process_toring(register u_char *u, register const struct pcap_pkthdr *h,
+ register const u_char *p)
+{
+ register struct toring_header *th;
+ register struct ether_arp *ea;
+ register u_char *sea, *sha;
+ register time_t t;
+ u_int32_t sia;
+
+ th = (struct toring_header *)p;
+ ea = (struct ether_arp *)(th + 1);
+
+ if (swapped) {
+ bit_reverse(th->src, 6);
+ bit_reverse(th->dst, 6);
+ }
+ if (!sanity_toring(th, ea, h->caplen))
+ return;
+
+ /* Source MAC hardware ethernet address */
+ sea = (u_char *)th->src;
+
+ /* Source ARP ethernet address */
+ sha = (u_char *)SHA(ea);
+
+ /* Source ARP ip address */
+ BCOPY(SPA(ea), &sia, 4);
+
+ /* Watch for bogons */
+ if (isbogon(sia)) {
+ dosyslog(LOG_INFO, "bogon", sia, sea, sha);
+ return;
+ }
+
+ /* Watch for broadcast */
+ if (MEMCMP(sea, zero, 6) == 0 || MEMCMP(sea, allones, 6) == 0 ||
+ MEMCMP(sha, zero, 6) == 0 || MEMCMP(sha, allones, 6) == 0) {
+ dosyslog(LOG_INFO, "MAC broadcast (tr)", sia, sea, sha);
+ return;
+ }
+
+ /* Double check tokenring addresses */
+ if (MEMCMP(sea, sha, 6) != 0) {
+ dosyslog(LOG_INFO, "MAC mismatch (tr)", sia, sea, sha);
+ return;
+ }
+
+ /* Got a live one */
+ t = h->ts.tv_sec;
+ can_checkpoint = 0;
+ if (!ent_add(sia, sea, t, NULL))
+ syslog(LOG_ERR, "ent_add(%s, %s, %ld) failed",
+ intoa(sia), e2str(sea), t);
+ can_checkpoint = 1;
+}
+int
+sanity_toring(register struct toring_header *th, register struct ether_arp *ea,
+ register int len)
+{
+ return (1);
+}
+#endif
+
int
addnet(register const char *str)
{
--- arpwatch-2.1a11/db.c
+++ arpwatch-2.1a11/db.c
@@ -150,7 +150,7 @@
/* An old entry comes to life */
e2 = ap->elist[0]->e;
t2 = ap->elist[0]->t;
- dosyslog(LOG_NOTICE, "reused old ethernet address",
+ dosyslog(LOG_NOTICE, "reused old MAC address",
a, e, e2);
/* Shift entries down */
len = i * sizeof(ap->elist[0]);
@@ -165,7 +165,7 @@
/* New ether address */
e2 = ap->elist[0]->e;
t2 = ap->elist[0]->t;
- report("changed ethernet address", a, e, e2, &t, &t2);
+ report("changed MAC address", a, e, e2, &t, &t2);
/* Make room at head of list */
alist_alloc(ap);
len = ap->ecount * sizeof(ap->elist[0]);
--- arpwatch-2.1a11/report.c
+++ arpwatch-2.1a11/report.c
@@ -312,19 +312,19 @@
(void)putc('\n', f);
(void)fprintf(f, fmt, "hostname", hn);
(void)fprintf(f, fmt, "ip address", intoa(a));
- (void)fprintf(f, fmt, "ethernet address", e2str(e1));
+ (void)fprintf(f, fmt, "mac address", e2str(e1));
if ((cp = ec_find(e1)) == NULL)
cp = unknown;
- (void)fprintf(f, fmt, "ethernet vendor", cp);
+ (void)fprintf(f, fmt, "mac vendor", cp);
if (hn != unknown && gethinfo(hn, cpu, sizeof(cpu), os, sizeof(os))) {
(void)sprintf(buf, "%s %s", cpu, os);
(void)fprintf(f, fmt, "dns cpu & os", buf);
}
if (e2) {
- (void)fprintf(f, fmt, "old ethernet address", e2str(e2));
+ (void)fprintf(f, fmt, "old mac address", e2str(e2));
if ((cp = ec_find(e2)) == NULL)
cp = unknown;
- (void)fprintf(f, fmt, "old ethernet vendor", cp);
+ (void)fprintf(f, fmt, "old mac vendor", cp);
}
if (t1p)
(void)fprintf(f, fmt, "timestamp", fmtdate(*t1p));
--- arpwatch-2.1a11/toring.h
+++ arpwatch-2.1a11/toring.h
@@ -0,0 +1,26 @@
+/* Support for tokenring */
+
+/*
+ * 802.2 specific declarations
+ */
+//struct llchdr {
+// u_char llc_dsap;
+// u_char llc_ssap;
+// u_char llc_ctl;
+//};
+//
+//struct snaphdr {
+// u_char snap_oid[3];
+// u_char snap_type[2];
+//};
+
+struct toring_header {
+ u_char acc_ctl;
+ u_char frame_ctl;
+ u_char dst[6];
+ u_char src[6];
+ struct llchdr llc;
+ struct snaphdr snap;
+};
+
+
