Build precise queries to find exactly what you need
Press ESC to close
Join our next live webinar: “Advanced Nagios Monitoring Techniques” – Register Now
Your review has been submitted and is pending approval.
This will check for duplicate MAC entries in your ARP table on your nagios/linux box. If it finds any, it MAY mean your being attacked via arp spoofing / poisoning.
Current Version
Last Release Date
June 3, 2009
Owner
Nagios Exchange
Compatible With
#! /bin/bash # THIS SCRIPT IS --VERY-- PARANOID. IT IS ONLY HAPPY WHEN YOU HAVE ONE (1) MAC PER IP ADDRESS. # IF YOU HAVE ONE (1) MACHINE WITH MULTIPLE VIRTUAL INTERFACES, THAT MACHINE MAY TRIGGER A FALSE ALARM. # IF YOU DO HAVE MORE THAN ONE IP PER MAC, ADJUST THE OK, WARNING, & CRITICAL LEVELS BELOW. gta=`/sbin/arp -n | grep ether | awk '{ print $3 }'` gtl=`echo "$gta" | sort -u | wc -l` tot="0" for s in `echo "$gta" | sort -u` do gts=`echo "$gta" | grep $s | wc -l` tot=`expr $tot + $gts` done ttl=`expr $tot - $gtl` out="$ttl DUPLICATE ARP ENTRIES" if [ $ttl -lt 1 ] then echo "OK - $out" exit 0 fi if [ $ttl -lt 2 ] then echo "WARNING - $out!" exit 1 fi if [ $ttl -gt 1 ] then echo "CRITICAL - $out!!" exit 2 fi
1) for me, at least, the arp command is /usr/sbin/arp 2) it might be better to just replace everything from the gta= line to the ttl= line with something like: ttl=$( /usr/sbin/arp -n | grep ether | awk '{ print $3 }' | sort | uniq -d | wc -l ) This is 10 times faster (on my relatively small net), but only counts 1 for each mac that appears two or more times. If you want a MAC appearing three times to give a count of two, try: gta=`/usr/sbin/arp -n | grep ether | awk '{ print $3 }'` gtl=`echo "$gta" | sort -u | wc -l` tot=`echo "$gta" | wc -l` ttl=$(( $tot - $gtl ))
Please guide how to use this script with Nagios ?. Ideally i want this script to give me alarm in Nagios for any duplicate IP address detected in network. Secondly I have tried testing the script on a linux machine and simulated a duplicate IP address machine, but it doesn't work. Many thanks in advance.
You must be logged in to submit a review.
To:
From: