Welcome, Guest. Please login or register.

Author Topic: Arpwatch problems  (Read 3573 times)

JohnCLRC

  • Guest
Arpwatch problems
« on: March 04, 2014, 08:49:11 PM »
I am trying NeDi once more after having tried it a few years ago.  One of the main things I need to do with it is locate the switch port that a computer is connected to given the computer's IP address.  I have mainly HP ProCurve switches in house, no routers, and a Cisco firewall on the edge.  NeDi is discovering all of the switches properly and I have Cli configured and working to backup the configs.  I have looked and found that arpwatch sees the IP addresses and MAC combinations of all the computers in house properly, and records the changes when DHCP hands out a different IP to the same machines.  I have also watched NeDi perform a discover on one of my switches and it collects the BridgeFwd and performs BuildArp properly.

The problem that I am having is that after all of this I am still having old information displayed when I perform a Node|List and search for a specific IP address.  I used an IP address that I know is assigned to a computer on a switch port of the switch I watched the discovery on.  The BuildArp connected the MAC and the IP correctly.  But when I perform the Node|List and search for that IP I get information that is a day old when the IP was assigned to a different computer.

I have searched through the forum, but found nothing to help resolve this issue.  Am I missing something simple?

rickli

  • Administrator
  • Hero Member
  • *****
  • Posts: 2780
    • View Profile
    • NeDi
Re: Arpwatch problems
« Reply #1 on: March 04, 2014, 09:22:12 PM »
If you have to use arpwatch, I'd recommend waiting for the upcoming release, which leverages timestamps in arp.dat.
Alternativey you can use SSH to fetch ARP entries of an ASA (assuming this is what you use as FW)...
Please consider Other-Invoices on your NeDi installation for an annual contribution, tx!
-Remo

JohnCLRC

  • Guest
Re: Arpwatch problems
« Reply #2 on: March 04, 2014, 10:54:56 PM »
Thank you for the quick reply.

I commented out the use of arpwatch and it looks like I am starting to get the correct information from the Node|List.  I noticed that I am now getting the old information and the new information.  That can be very helpful.  Is there a default amount of time that I will receive the old info?  I also noticed that I am not seeing a name for the nodes that I am searching for.  Can you lead me in the right direction to resolve this?  Is this done on the ASA or the machine with NeDi?  I have enabled domain-lookup on the ASA.

Again, thank you.  I look forward to evaluating NeDi and seeing if I can get my boss to "buy in" on it.  If so I will work on getting the Other|Invoice thing done as well.

Looks good so far.   :)

Hannu Liljemark

  • Full Member
  • ***
  • Posts: 149
  • Here to help
    • View Profile
Re: Arpwatch problems
« Reply #3 on: March 05, 2014, 12:45:16 PM »
I also noticed that I am not seeing a name for the nodes that I am searching for.  Can you lead me in the right direction to resolve this?  Is this done on the ASA or the machine with NeDi?  I have enabled domain-lookup on the ASA.

Is your Nedi machine doing name resolution from some DNS? Are your nodes registered to that DNS manually or dynamically? Are A records and PTR records created for all nodes?

Br,
Hannu

JohnCLRC

  • Guest
Re: Arpwatch problems
« Reply #4 on: March 05, 2014, 04:26:33 PM »
Hannu,

I have looked at the DNS servers and found that they have some issues with creating A and PTR records properly for the nodes.  I will look into fixing this issue.

Thanks for pointing me in the right direction.


rickli

  • Administrator
  • Hero Member
  • *****
  • Posts: 2780
    • View Profile
    • NeDi
Re: Arpwatch problems
« Reply #5 on: March 05, 2014, 05:47:52 PM »
Glad to hear John. I'm going to rely on this very soon...announcement follows!

In nedi.conf "retire" defines when a node will be deleted from the DB. However interfaces and IP addresses are tracked back to the first occurence. You can truncate those tables via System-Export Execute -> Select items on the bottom (Execute Maintenance)
Please consider Other-Invoices on your NeDi installation for an annual contribution, tx!
-Remo

JohnCLRC

  • Guest
Re: Arpwatch problems
« Reply #6 on: March 05, 2014, 08:09:24 PM »
Just finished resolving my DNS issues.  I confirmed that both A and PTR records exist for a Node I am searching for in the Node|List.  I then looked in the Node|List for a specific IP Address and did not see a Node Name associated with it.  I made sure that time has passed for another discovery to happen.  Is there still something I am missing on this?

To answer earlier questions:
NeDi machine is doing name resolution from a DNS server (It can ping the Node by name).  Nodes are registered dynamically with DNS since they are using DHCP.  A and PRT records are now being created for all Nodes (had a problem that was stopping this from happening, but that has been resolved).


Thank you,
John

rickli

  • Administrator
  • Hero Member
  • *****
  • Posts: 2780
    • View Profile
    • NeDi
Re: Arpwatch problems
« Reply #7 on: March 05, 2014, 09:09:01 PM »
If MAC-IP relation doesn't change, the name won't be updated (to keep DNS-stress low). After "retire" days without update it'll be forced...

To get this resolved quicker, you could set retire to 2 and wait a couple of days. Set it back to 30 or whatever seems fit after all nodes have names...
Please consider Other-Invoices on your NeDi installation for an annual contribution, tx!
-Remo

JohnCLRC

  • Guest
Re: Arpwatch problems
« Reply #8 on: March 05, 2014, 10:44:22 PM »
I will give that a try.  Thanks