ARP

check_arp.sh

Write a Review

Description:

This will check for duplicate MAC entries in your ARP table on your nagios/linux box. If it finds any, it MAY mean your being attacked via arp spoofing / poisoning.

Current Version

Last Release Date

June 3, 2009

Compatible With

Owner

Nagios Exchange

Copy Page Link Recommend Login to Add to Favorites
Project Notes
#! /bin/bash # THIS SCRIPT IS --VERY-- PARANOID. IT IS ONLY HAPPY WHEN YOU HAVE ONE (1) MAC PER IP ADDRESS. # IF YOU HAVE ONE (1) MACHINE WITH MULTIPLE VIRTUAL INTERFACES, THAT MACHINE MAY TRIGGER A FALSE ALARM. # IF YOU DO HAVE MORE THAN ONE IP PER MAC, ADJUST THE OK, WARNING, & CRITICAL LEVELS BELOW. gta=`/sbin/arp -n | grep ether | awk '{ print $3 }'` gtl=`echo "$gta" | sort -u | wc -l` tot="0" for s in `echo "$gta" | sort -u` do gts=`echo "$gta" | grep $s | wc -l` tot=`expr $tot + $gts` done ttl=`expr $tot - $gtl` out="$ttl DUPLICATE ARP ENTRIES" if [ $ttl -lt 1 ] then echo "OK - $out" exit 0 fi if [ $ttl -lt 2 ] then echo "WARNING - $out!" exit 1 fi if [ $ttl -gt 1 ] then echo "CRITICAL - $out!!" exit 2 fi
Reviews (2) Add a Review
needs some hacking...
by divad27182, January 31, 2019

1) for me, at least, the arp command is /usr/sbin/arp 2) it might be better to just replace everything from the gta= line to the ttl= line with something like: ttl=$( /usr/sbin/arp -n | grep ether | awk '{ print $3 }' | sort | uniq -d | wc -l ) This is 10 times faster (on my relatively small net), but only counts 1 for each mac that appears two or more times. If you want a MAC appearing three times to give a count of two, try: gta=`/usr/sbin/arp -n | grep ether | awk '{ print $3 }'` gtl=`echo "$gta" | sort -u | wc -l` tot=`echo "$gta" | wc -l` ttl=$(( $tot - $gtl ))


How to use check_arp.sh
by sheraz_aziz, September 30, 2013

Please guide how to use this script with Nagios ?. Ideally i want this script to give me alarm in Nagios for any duplicate IP address detected in network. Secondly I have tried testing the script on a linux machine and simulated a duplicate IP address machine, but it doesn't work. Many thanks in advance.


Add a Review

You must be logged in to submit a review.

Thank you for your review!

Your review has been submitted and is pending approval.

Recommend

To:


From:


Thank you for your recommendation!

Your recommendation has been sent.

Page Sections
Project Overview Project Notes Reviews
Project Stats
Rating
3.5 (2)
Favorites
0
Views
99,147