ARP

check_arp.sh

Write a Review

Description:

This will check for duplicate MAC entries in your ARP table on your nagios/linux box. If it finds any, it MAY mean your being attacked via arp spoofing / poisoning.

Current Version

Last Release Date

June 3, 2009

Compatible With

Owner

Nagios Exchange

Copy Page Link Recommend Login to Add to Favorites Login to Claim
Nagios CSP

Meet The New Nagios Core Services Platform

Built on over 25 years of monitoring experience, the Nagios Core Services Platform provides insightful monitoring dashboards, time-saving monitoring wizards, and unmatched ease of use. Use it for free indefinitely.

Download Now

Monitoring Made Magically Better

  • Nagios Core on Overdrive
  • Powerful Monitoring Dashboards
  • Time-Saving Configuration Wizards
  • Open Source Powered Monitoring On Steroids
  • And So Much More!
Project Notes
#! /bin/bash # THIS SCRIPT IS --VERY-- PARANOID. IT IS ONLY HAPPY WHEN YOU HAVE ONE (1) MAC PER IP ADDRESS. # IF YOU HAVE ONE (1) MACHINE WITH MULTIPLE VIRTUAL INTERFACES, THAT MACHINE MAY TRIGGER A FALSE ALARM. # IF YOU DO HAVE MORE THAN ONE IP PER MAC, ADJUST THE OK, WARNING, & CRITICAL LEVELS BELOW. gta=`/sbin/arp -n | grep ether | awk '{ print $3 }'` gtl=`echo "$gta" | sort -u | wc -l` tot="0" for s in `echo "$gta" | sort -u` do gts=`echo "$gta" | grep $s | wc -l` tot=`expr $tot + $gts` done ttl=`expr $tot - $gtl` out="$ttl DUPLICATE ARP ENTRIES" if [ $ttl -lt 1 ] then echo "OK - $out" exit 0 fi if [ $ttl -lt 2 ] then echo "WARNING - $out!" exit 1 fi if [ $ttl -gt 1 ] then echo "CRITICAL - $out!!" exit 2 fi
Reviews (2) Add a Review
needs some hacking...
by divad27182, January 31, 2019
1) for me, at least, the arp command is /usr/sbin/arp

2) it might be better to just replace everything from the gta= line to the ttl= line with something like:

ttl=$( /usr/sbin/arp -n | grep ether | awk '{ print $3 }' | sort | uniq -d | wc -l )

This is 10 times faster (on my relatively small net), but only counts 1 for each mac that appears two or more times. If you want a MAC appearing three times to give a count of two, try:

gta=`/usr/sbin/arp -n | grep ether | awk '{ print $3 }'`
gtl=`echo "$gta" | sort -u | wc -l`
tot=`echo "$gta" | wc -l`
ttl=$(( $tot - $gtl ))
Helpful?    
Report
How to use check_arp.sh
by sheraz_aziz, September 30, 2013
Please guide how to use this script with Nagios ?. Ideally i want this script to give me alarm in Nagios for any duplicate IP address detected in network.

Secondly I have tried testing the script on a linux machine and simulated a duplicate IP address machine, but it doesn't work.

Many thanks in advance.
0 of 1 found this review helpful.
Helpful?    1
Report
Add a Review

You must be logged in to submit a review.

Thank you for your review!

Your review has been submitted and is pending approval.

Recommend

To:


From:


Thank you for your recommendation!

Your recommendation has been sent.

Page Sections
Project Overview Project Notes Reviews
Project Stats
Rating
3.5 (2)
Favorites
0
Views
99,129