Difference between revisions of "ARPwatch"
From Notes_Wiki
| (41 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
[[Main Page|Home]] > [[Rocky Linux or CentOS]] > [[Rocky Linux 9.x]] > [[Rocky 9.x Network Monitoring Tools]] > [[ARPwatch]] | [[Main Page|Home]] > [[Rocky Linux or CentOS]] > [[Rocky Linux 9.x]] > [[Rocky 9.x Network Monitoring Tools]] > [[ARPwatch]] | ||
== | == Create Virtual Machine == | ||
* Create a Rocky 9.x VM in the Vcenter | * Create a Rocky 9.x VM in the Vcenter | ||
* Select '''All VLANs Trunk''' in Network Adapter while creating the Virtual Machine | * Select '''All VLANs Trunk''' in Network Adapter while creating the Virtual Machine | ||
== | == Configure Network Scripts == | ||
Create Network Scripts for each Vlan as per the below article: | |||
[[CentOS 8.x Configure ethernet port for 802.3 encapsulated trunk traffic communication]] | |||
* Example Network script ( file name: ifcfg-ens33.99) | |||
<pre> | |||
VLAN=yes | |||
TYPE=Vlan | |||
PHYSDEV=ens33 | |||
VLAN_ID=99 | |||
REORDER_HDR=yes | |||
GVRP=no | |||
MVRP=no | |||
HWADDR= | |||
PROXY_METHOD=none | |||
BROWSER_ONLY=no | |||
BOOTPROTO=none | |||
IPADDR=172.30.7.106 | |||
PREFIX=16 | |||
GATEWAY=172.30.0.1 | |||
DNS1=172.31.1.160 | |||
DNS2=8.8.8.8 | |||
DEFROUTE=yes | |||
IPV4_FAILURE_FATAL=no | |||
IPV6_DISABLED=yes | |||
IPV6INIT=no | |||
NAME=ens33.99 | |||
DEVICE=ens33.99 | |||
ONBOOT=yes | |||
</pre> | |||
* Restart the Network | |||
<pre> | |||
# systemctl restart NetworkManager | |||
</pre> | |||
* Remove the main interface | |||
<pre> | |||
# nmcli connection del <interface name> | |||
</pre> | |||
* Ping to gateway should work for each sub-interface | |||
* Should be able to access the Internet | |||
== Configure Postfix == | |||
Install postfix to enable the mail alerts for ARPwatch | |||
Configure postfix as per the below article: | |||
[[CentOS 8.x postfix send email through relay or smarthost with smtp authentication]] | |||
== Configure ARPwatch == | |||
* install ARPwatch | |||
<pre> | |||
# dnf update | |||
# dnf install epel-release | |||
# dnf install arpwatch | |||
</pre> | |||
* Start the service | |||
<pre> | |||
# systemctl start arpwatch | |||
# systemctl status arpwatch | |||
</pre> | |||
* Add the sub-interfaces to ARPwatch | |||
<pre> | |||
# arpwatch -i <sub-interface> | |||
</pre> | |||
* Restart the service | |||
<pre> | |||
# systemctl restart arpwatch | |||
</pre> | |||
* Check the Process to confirm that ARPwatch is running | |||
<pre> | |||
# ps aux | grep arpwatch | |||
</pre> | |||
* Example output | |||
<pre> | |||
[root@localhost ~]# ps aux | grep arpwatch | |||
arpwatch 41710 0.0 0.3 40860 6656 ? Ss May13 0:21 /usr/sbin/arpwatch -u arpwatch -F -C | |||
root 41760 0.0 0.3 40976 6024 ? Ss May13 0:00 arpwatch -i ens33.40 | |||
root 41763 0.0 0.4 40976 8200 ? Ss May13 0:01 arpwatch -i ens33.99 | |||
root 44122 0.0 0.1 221664 2176 pts/2 S+ 16:45 0:00 grep --color=auto arpwatch | |||
</pre> | |||
* Check logs in the following file | |||
<pre> | |||
/var/log/messages | |||
</pre> | |||
* Example mail alert output | |||
<pre> | |||
hostname: <unknown> | |||
ip address: 172.30.30.25 | |||
ethernet address: bc:24:11:48:b3:56 | |||
ethernet vendor: Proxmox Server Solutions GmbH | |||
timestamp: Wednesday, May 14, 2025 15:46:10 +0530 | |||
</pre> | |||
== Suppress flip flop and changed Ethernet address alerts == | |||
To suppress '''flip flop''' and '''changed Ethernet address''' alerts, we can use Postfix '''header_checks''' mechanism as a global filter. | |||
* Create or edit a header checks file | |||
<pre> | |||
vim /etc/postfix/header_checks | |||
</pre> | |||
* Add rule | |||
<pre> | |||
/^Subject:.*flip flop/ DISCARD | |||
/^Subject:.*changed ethernet address/ DISCARD | |||
</pre> | |||
* Enable in main.cf | |||
<pre> | |||
vim /etc/postfix/main.cf | |||
</pre> | |||
<pre> | |||
header_checks = regexp:/etc/postfix/header_checks | |||
</pre> | |||
* Reload postfix | |||
<pre> | |||
postmap /etc/postfix/header_checks | |||
</pre> | |||
<pre> | |||
postfix reload | |||
</pre> | |||
This will drop the mail at the SMTP level, before delivery. | |||
Reference | |||
* [[CentOS 8.x postfix send email through relay or smarthost with smtp authentication]] | |||
* https://www.tecmint.com/monitor-ethernet-activity-in-linux/ | |||
Latest revision as of 12:05, 13 June 2025
Home > Rocky Linux or CentOS > Rocky Linux 9.x > Rocky 9.x Network Monitoring Tools > ARPwatch
Create Virtual Machine
- Create a Rocky 9.x VM in the Vcenter
- Select All VLANs Trunk in Network Adapter while creating the Virtual Machine
Configure Network Scripts
Create Network Scripts for each Vlan as per the below article:
CentOS 8.x Configure ethernet port for 802.3 encapsulated trunk traffic communication
- Example Network script ( file name: ifcfg-ens33.99)
VLAN=yes TYPE=Vlan PHYSDEV=ens33 VLAN_ID=99 REORDER_HDR=yes GVRP=no MVRP=no HWADDR= PROXY_METHOD=none BROWSER_ONLY=no BOOTPROTO=none IPADDR=172.30.7.106 PREFIX=16 GATEWAY=172.30.0.1 DNS1=172.31.1.160 DNS2=8.8.8.8 DEFROUTE=yes IPV4_FAILURE_FATAL=no IPV6_DISABLED=yes IPV6INIT=no NAME=ens33.99 DEVICE=ens33.99 ONBOOT=yes
- Restart the Network
# systemctl restart NetworkManager
- Remove the main interface
# nmcli connection del <interface name>
- Ping to gateway should work for each sub-interface
- Should be able to access the Internet
Configure Postfix
Install postfix to enable the mail alerts for ARPwatch
Configure postfix as per the below article:
CentOS 8.x postfix send email through relay or smarthost with smtp authentication
Configure ARPwatch
- install ARPwatch
# dnf update # dnf install epel-release # dnf install arpwatch
- Start the service
# systemctl start arpwatch # systemctl status arpwatch
- Add the sub-interfaces to ARPwatch
# arpwatch -i <sub-interface>
- Restart the service
# systemctl restart arpwatch
- Check the Process to confirm that ARPwatch is running
# ps aux | grep arpwatch
- Example output
[root@localhost ~]# ps aux | grep arpwatch arpwatch 41710 0.0 0.3 40860 6656 ? Ss May13 0:21 /usr/sbin/arpwatch -u arpwatch -F -C root 41760 0.0 0.3 40976 6024 ? Ss May13 0:00 arpwatch -i ens33.40 root 41763 0.0 0.4 40976 8200 ? Ss May13 0:01 arpwatch -i ens33.99 root 44122 0.0 0.1 221664 2176 pts/2 S+ 16:45 0:00 grep --color=auto arpwatch
- Check logs in the following file
/var/log/messages
- Example mail alert output
hostname: <unknown> ip address: 172.30.30.25 ethernet address: bc:24:11:48:b3:56 ethernet vendor: Proxmox Server Solutions GmbH timestamp: Wednesday, May 14, 2025 15:46:10 +0530
Suppress flip flop and changed Ethernet address alerts
To suppress flip flop and changed Ethernet address alerts, we can use Postfix header_checks mechanism as a global filter.
- Create or edit a header checks file
vim /etc/postfix/header_checks
- Add rule
/^Subject:.*flip flop/ DISCARD /^Subject:.*changed ethernet address/ DISCARD
- Enable in main.cf
vim /etc/postfix/main.cf
header_checks = regexp:/etc/postfix/header_checks
- Reload postfix
postmap /etc/postfix/header_checks
postfix reload
This will drop the mail at the SMTP level, before delivery.
Reference
