arpwatch / subnetting arithmetic

_Max_ · Posted: Mon Oct 18, 2004 10:22 am Post subject: arpwatch / subnetting arithmetic

Hi,

I am running arpwatch to check for flip-flops etc for 2 machines on a subnet (some servers) that I am worried about. The subnet is quite small, and everything is static, so I don't get tons of emails from arpwatch watching the subnet.

Well, that's how it used to be, anyway. For some reason, someone here has managed to get several subnets running across the same wire. That includes subnets with dhcp. Obviously, I now get tons of arpwatch emails for "new stations", "changed MAC address"es etc. I got lots of bogon warnings, too, but switched those off ("-N").

Since I have no control over which subnets are on which wire, I have the following question: Is it possible to restrict arpwatch to watching single IP addresses (or a range of IP addresses), and disregard all the other stuff that's going on on the wire (ignore all arp traffic that does not match a certain bunch of IP addresses)?

Maybe I am confused about subnetting arithmetic here, but if I have
IP address XXX.XXX.224.121, and subnet mask 255.255.240.0 (that's 20 bits, right?), then XXX.XXX.224.1 through XXX.XXX.239.255 should be on my subnet, right? And XXX.XXX.139.32 etc should not, right?

Thanks,

_Max_
_________________
Ceci n'est pas une sig.

steveb · Advocate Joined: 18 Sep 2002 Posts: 4564

_Max_ · Posted: Mon Oct 18, 2004 12:51 pm Post subject:

Ah, ok. The possible IP addresses on the network are
XXX.XXX.224.1 - XXX.XXX.239.254
then?

In any case, if there is a switch between my subnet and the other subnets, I shouldn't be seeing arp requests for IP addresses that are clearly (i. e. even I can do the calculations... I think) out of my subnet, like "ARP request: Who has XXX.XXX.104.77? Tell XXX.XXX.97.143", right?
_________________
Ceci n'est pas une sig.

steveb · Advocate Joined: 18 Sep 2002 Posts: 4564

depends how the addressing and cabeling is done. i for example have only switches over here. the clients are on a diffrend switch then the servers. but when i look at the arp requests, i some time see requests from complete diffrend subnets flooding my network.

speed_bump · Posted: Wed Oct 20, 2004 6:54 pm Post subject:

Unless you're using VLANs to segment your traffic, you will see ARP traffic for all the subnets running on your physical segment. ARP is a broadcast protocol, and those packets are replicated on all ports associated with the VLAN. If you're not explicitly using VLANs, then you're all in the same VLAN and you will see the broadcasts.

In an environment where DHCP is desirable (lots of mobile devices), you may well see ARP requests for addresses that are for completely different subnets. This is because a device speaking DHCP will try to reclaim the network address it was using when it was previously connected. If that doesn't work (it's moved to a different network), it should then begin the DHCP dialog to pick up an appropriate IP address. It's also possible that a mobile device was configured manually, and the owner has plugged it in without reconfiguring it.

Generally, these activities should not persist for long periods of time. If they do, you should probably find the device and get it configured appropriately.