Welcome, Guest. Please login or register.

Author Topic: arpwatch data mostly missing  (Read 8014 times)

sjwk

  • Newbie
  • *
  • Posts: 37
    • View Profile
arpwatch data mostly missing
« on: February 16, 2015, 07:28:21 PM »
Evening all,
I've upgraded (via a clean install and wipe of the DB) to 1.4.  Since then, nedi is mostly ignoring data in the arpwatch file.  It claims to read it:
Quote
ARPW:Reading /var/lib/arpwatch/full.dat
ARPW:21297 arpwatch entries used
Yet there are only 10 nodes (and 10 records in the nodarp table) that have IPs, all the rest just have the IP 0.0.0.0.  Have checked the MAC addresses for a number of nodes missing an IP, and they do exist in the arpwatch data file, with an IP associated.
Oddly, the only IPs that are included are on a 192.168 subnet range that we do use, but which isn't the primary real-world network address range.  Even if for some reason it was just filtering to that subnet, there are a lot more than 10 nodes in that subnet in use.  I can't see any real pattern to those 10 - a mix of physical and virtual machines, running both Windows and Linux systems.

Will have a look through the code and try to work out what it's doing, but just in case I've missed some configuration option that configures what address range to pull from the arpwatch data?  As far as I can see the only arpwatch configuration option is the path to the data file?

sjwk

  • Newbie
  • *
  • Posts: 37
    • View Profile
Re: arpwatch data mostly missing
« Reply #1 on: February 17, 2015, 11:35:26 AM »
Ah.  Looking in the output from nedi.pl, I'm seeing rather a lot of errors (about as many as there should be entries in the arpwatch file in fact... - that'll teach me to just grep the output for 'arp' rather than look properly...)

Around 21,000 or so of (inside ArpWatch()):
Quote
Use of uninitialized value in hash element at /var/nedi/inc/libmisc.pm line 1529.
Followed by an equally large amount of (inside MapIp()):
Quote
Use of uninitialized value $i[0] in concatenation (.) or string at /var/nedi/inc/libmisc.pm line 745.
Use of uninitialized value in concatenation (.) or string at /var/nedi/inc/libmisc.pm line 745.
Use of uninitialized value in concatenation (.) or string at /var/nedi/inc/libmisc.pm line 745.
Use of uninitialized value $i[0] in concatenation (.) or string at /var/nedi/inc/libmisc.pm line 748.
Use of uninitialized value in concatenation (.) or string at /var/nedi/inc/libmisc.pm line 748.

So I think we can assume that's why there's virtually no data!  But why do 10 nodes read fine and the rest fail?

sjwk

  • Newbie
  • *
  • Posts: 37
    • View Profile
Re: arpwatch data mostly missing
« Reply #2 on: February 17, 2015, 12:42:04 PM »
OK, my PerlFu is rusty, but in this chunk (from inside libmisc::ArpWatch()):
Quote
                        if(!exists $amc{$mc} or $ad[2] > $amc{$mc}{'time'}){
                                $amc{$mc}{'time'} = $ad[2];
                                &Prt("ARPW:$mc ".localtime($ad[2]) );
                                if($_[0]){
                                        my $oui = GetOui($mc);
                                        &Prt(" $oui ");
                                        if($mc =~ /$misc::border/ or $oui =~ /$misc::border/){
                                                &Prt(" matches border /$misc::border/\n");
                                                $bd++;
                                        }elsif($oui =~ /$misc::ouidev/i or $mc =~ /$misc::ouidev/){
                                                &Prt(" matches ouidev /$misc::ouidev/\n");
                                                $nad += CheckTodo($mc,$ad[1]);
                                        } else {
                                                &Prt("\n")
                                        }
                                }else{
                                        $amc{$mc}{'ip'} = $ad[1];
                                        $amc{$mc}{'name'} = ($ad[3] and $main::opt{'N'} !~ /-iponly$/)?$ad[3]:'';
                                        &Prt(" $amc{$mc}{'ip'}\t$amc{$mc}{'name'}\tOK\n");
                                }
                        }
(note: I added an else clause here to the if/elsif in order to ensure a '\n' was printed, or the output is unmanageable!)

what is the if ($_[0]) on line 4 of the above matching on?  It seems to be entering that stanza for each record, then not matching the if or elsif inside, so doing nothing, and not initialising the values that are subsequently being used (on line 1529):
Quote
                $arp{''}{$mc}{''}{$amc{$mc}{'ip'}} = $amc{$mc}{'time'};

edit: also $oui when printed is '?' for all records.  Nedi does appear to be reading in the oui data.
« Last Edit: February 17, 2015, 12:56:44 PM by sjwk »

rickli

  • Administrator
  • Hero Member
  • *****
  • Posts: 2763
    • View Profile
    • NeDi
Re: arpwatch data mostly missing
« Reply #3 on: February 18, 2015, 10:17:59 AM »
I've added this to perldoc:

B<Options> seedmode

If ArpWatch(1) is called it works as a "seedgenerator" pulling MAC addresses from the arpcache. Unless you use nedi.pl -o with arpwatch enabled you won't use this part...

I rewrote arpwatch per suggestion to factor in the timestamps of the ARP records. You should see ARPW: and DBG: lines when executing nedi.pl -vdd


Please consider Other-Invoices on your NeDi installation for an annual contribution, tx!
-Remo

sjwk

  • Newbie
  • *
  • Posts: 37
    • View Profile
Re: arpwatch data mostly missing
« Reply #4 on: February 18, 2015, 12:17:12 PM »
OK, seems I was calling it with -o, but without '-N arpwatch'...

Now looks good!
Ta,
Steve.

mcbride66

  • Guest
Re: arpwatch data mostly missing
« Reply #5 on: February 18, 2015, 05:06:22 PM »
Adding the '-N arpwatch', populated the nodes that were missing.

Thanks!

sjwk

  • Newbie
  • *
  • Posts: 37
    • View Profile
Re: arpwatch data mostly missing
« Reply #6 on: February 18, 2015, 06:46:58 PM »
Actually, not good. 

Ok, I can't quite work out what parameters I should call nedi.pl with any more.
Back with 1.0.9, I used -vop (with -vopb once per day to backup switch configs), which worked fine.

Looking at the output with 1.4, those options crawled the switches from the seedlist via CDP (virtually all Cisco switches), it read in (but didn't do anything with) the arpwatch data, and based on what you've said above, used the local arp cache on the server to populate IP addresses.

Removing -o, so just having -vp, it crawls all the switches and updates them and their interfaces fine, but does nothing at all with the arpwatch data.

If I change that to '-vpN arpwatch' (or '-vopN arpwatch'), it again reads the arpwatch data but this time actually parses it and loads it to the database.  However, it then doesn't discover the switches. It seems to check them for interface address changes and that's all.  The run takes <1 minute rather than 3-4 minutes, and all devices now show 'discover obsolete' as they've not been updated in several hours.

Actually, looking in the code, it does exit after calling ArpWatch()if -N used, so am I right in thinking I should run it twice, using -vp to update switches, then -vN arpwatch to update nodes? (maybe only parse arpwatch data less often than polling switches?)

rickli

  • Administrator
  • Hero Member
  • *****
  • Posts: 2763
    • View Profile
    • NeDi
Re: arpwatch data mostly missing
« Reply #7 on: February 19, 2015, 08:52:44 PM »
That's correct. The -N option (as in resolve Names) is new. If you run nedi.pl -N 10.10.10.1-255 it'll simply scan all DNS entries in this ip range and write them to the dns table. With -N arpwatch it'll use arpwatch data instead. Once this is done you can review your subnets for non-existant DNS entries etc. as stated in this post:

https://plus.google.com/u/0/b/106414135314831644755/106414135314831644755/posts/EkGzNDtWufH?pid=6075357074050648306&oid=106414135314831644755

I still need to find the time to finish documentation on all those options....

BTW, do you really want to discover devices based on vendor strings? Do you have ouidev configured to match (rather exotic) devices? Because that's what -o is for...
« Last Edit: February 19, 2015, 11:42:27 PM by rickli »
Please consider Other-Invoices on your NeDi installation for an annual contribution, tx!
-Remo

nti

  • Newbie
  • *
  • Posts: 15
    • View Profile
Re: arpwatch data mostly missing
« Reply #8 on: May 18, 2015, 11:46:52 PM »
Quote
Use of uninitialized value in hash element at /var/nedi/inc/libmisc.pm line 1529.
Quote
Use of uninitialized value $i[0] in concatenation (.) or string at /var/nedi/inc/libmisc.pm line 745.
Use of uninitialized value in concatenation (.) or string at /var/nedi/inc/libmisc.pm line 745.
Use of uninitialized value in concatenation (.) or string at /var/nedi/inc/libmisc.pm line 745.
Use of uninitialized value $i[0] in concatenation (.) or string at /var/nedi/inc/libmisc.pm line 748.
Use of uninitialized value in concatenation (.) or string at /var/nedi/inc/libmisc.pm line 748.

Same problem here with 1.14p3. I call "nedi.pl -v -N arpwatch" first. Then "nedi.pl -v -po" and i have hundreds of "Use of uninitialized value".

Code: [Select]
Use of uninitialized value in hash element at /usr/local/www/nedi/inc/libmisc.pm line 1533.
Use of uninitialized value in hash element at /usr/local/www/nedi/inc/libmisc.pm line 1533.
Use of uninitialized value in hash element at /usr/local/www/nedi/inc/libmisc.pm line 1533.
ARPW:176 arpwatch entries used

Write ArpND -------------------------------------------------------------------
Use of uninitialized value $i[0] in concatenation (.) or string at /usr/local/www/nedi/inc/libmisc.pm line 745.
Use of uninitialized value in concatenation (.) or string at /usr/local/www/nedi/inc/libmisc.pm line 745.
Use of uninitialized value in concatenation (.) or string at /usr/local/www/nedi/inc/libmisc.pm line 745.
Use of uninitialized value $i[0] in concatenation (.) or string at /usr/local/www/nedi/inc/libmisc.pm line 748.
Use of uninitialized value in concatenation (.) or string at /usr/local/www/nedi/inc/libmisc.pm line 748.

Nicola

rickli

  • Administrator
  • Hero Member
  • *****
  • Posts: 2763
    • View Profile
    • NeDi
Re: arpwatch data mostly missing
« Reply #9 on: May 19, 2015, 04:39:03 PM »
Do you really need -o ? Also can you post some arpwatch lines?

Just to be surem, you're using nedi 1.4.300 patch3?
Please consider Other-Invoices on your NeDi installation for an annual contribution, tx!
-Remo

nti

  • Newbie
  • *
  • Posts: 15
    • View Profile
Re: arpwatch data mostly missing
« Reply #10 on: May 19, 2015, 05:44:41 PM »
nedi.pl version 1.4.300 calling Getopt::Std::getopts (version 1.07 [paranoid]),
running under Perl version 5.18.4.

the date of msgt.txt is 26.Feb 15 17:34

We have linksys switches and can't get the nodes on another way. Also I use nbtscan to produce arpwatch like files to get more names of nodes that have no dns entry
Code: [Select]
0:11:4b:2:75:36 192.168.160.222 1431961253
60:36:dd:f9:b9:97 192.168.160.222 1431936342
0:15:58:7d:e0:f7 192.168.160.22 1432047979 nb-0141-tsch
6c:88:14:3c:9a:0 192.168.160.223 1432048644
88:9f:fa:fd:e3:7a 192.168.160.223 1431957718
54:72:4f:1e:34:db 192.168.160.224 1432039802
f8:b1:56:a0:b7:49 192.168.160.224 1432020838
8:fc:88:a9:7b:99 192.168.160.226 1432044383

rickli

  • Administrator
  • Hero Member
  • *****
  • Posts: 2763
    • View Profile
    • NeDi
Re: arpwatch data mostly missing
« Reply #11 on: May 20, 2015, 03:54:49 PM »
Ok, those warnings are ugly but don't affect discovery. It'll be fixed in the upcoming patch4...tx
Please consider Other-Invoices on your NeDi installation for an annual contribution, tx!
-Remo