Search Exchange

Search All Sites

Nagios Live Webinars

Let our experts show you how Nagios can help your organization.

Contact Us

Phone: 1-888-NAGIOS-1
Email: sales@nagios.com

Login

Remember Me

check_arp.sh

Rating
2 votes
Favoured:
0
Hits
95660
Network Monitoring Software - Download Nagios XI
Log Management Software - Nagios Log Server - Download
Netflow Analysis Software - Nagios Network Analyzer - Download
This will check for duplicate MAC entries in your ARP table on your nagios/linux box. If it finds any, it MAY mean your being attacked via arp spoofing / poisoning.
#! /bin/bash

# THIS SCRIPT IS --VERY-- PARANOID. IT IS ONLY HAPPY WHEN YOU HAVE ONE (1) MAC PER IP ADDRESS.
# IF YOU HAVE ONE (1) MACHINE WITH MULTIPLE VIRTUAL INTERFACES, THAT MACHINE MAY TRIGGER A FALSE ALARM.
# IF YOU DO HAVE MORE THAN ONE IP PER MAC, ADJUST THE OK, WARNING, & CRITICAL LEVELS BELOW.

gta=`/sbin/arp -n | grep ether | awk '{ print $3 }'`
gtl=`echo "$gta" | sort -u | wc -l`
tot="0"
for s in `echo "$gta" | sort -u`
do
gts=`echo "$gta" | grep $s | wc -l`
tot=`expr $tot + $gts`
done
ttl=`expr $tot - $gtl`
out="$ttl DUPLICATE ARP ENTRIES"
if [ $ttl -lt 1 ]
then
echo "OK - $out"
exit 0
fi
if [ $ttl -lt 2 ]
then
echo "WARNING - $out!"
exit 1
fi
if [ $ttl -gt 1 ]
then
echo "CRITICAL - $out!!"
exit 2
fi
Reviews (2)
1) for me, at least, the arp command is /usr/sbin/arp

2) it might be better to just replace everything from the gta= line to the ttl= line with something like:

ttl=$( /usr/sbin/arp -n | grep ether | awk '{ print $3 }' | sort | uniq -d | wc -l )

This is 10 times faster (on my relatively small net), but only counts 1 for each mac that appears two or more times. If you want a MAC appearing three times to give a count of two, try:

gta=`/usr/sbin/arp -n | grep ether | awk '{ print $3 }'`
gtl=`echo "$gta" | sort -u | wc -l`
tot=`echo "$gta" | wc -l`
ttl=$(( $tot - $gtl ))
bysheraz_aziz, September 18, 2013
0 of 1 people found this review helpful
Please guide how to use this script with Nagios ?. Ideally i want this script to give me alarm in Nagios for any duplicate IP address detected in network.

Secondly I have tried testing the script on a linux machine and simulated a duplicate IP address machine, but it doesn't work.

Many thanks in advance.