Feature Request: Arpwatch add-on

I’m new to the forum so I apologize if this is in the wrong place or I missed any rules. I would like to submit a feature request for an Arpwatch (or similar) add-on to notify me when a new device connects to my network. This is an important feature for keeping me notified about devices on certain networks. I am currently using a different firewall which has that feature but would like to move to IPFire and this is the only hold-up. Yes, I could build a separate machine to run Arpwatch but I dont want to for a variety of reasons. I also do not want to build anything custom from source, I just want to use the latest stable version of IPFire and supported packages. Thanks! (It it happens I will donate!)

3 Likes

to wish list

with nprobe implementation to i686 systems!

@ex1580 - Hi Sam. Welcome to the IPFire Community!

I’ve not heard of Arpwatch, but maybe Who Is Online? will help. This is an addon for IPFire.

https://wiki.ipfire.org/addons/wio

WIO only reports known devices on the network. “arpwatch” reports as soon as an unknown / unlisted device is detected by the router.
In principle, the arp-list is monitored and entries that are not in the device list are reported.

Hi all,

it seems to me that :

  • “Who is online” addon does not automatically add a new network device in the list (you have to enter it manually or arp search then select and validate this item)
    …and
  • that once this new device in the list the email notification is not activated by default (validate the option to send mail when the device connects to the network)

But it may be an interesting idea for the development of this addon :wink:

Edit : @anon79392304, we answered the same, but in a different way

Arpwatch builds a little list of known devices by MAC and IP address pairings. If a new device shows up or an old device changes MAC or IP then you get an email alert. After a “learning” period" it is very handy for detecting not only new devices but also DHCP issues, or finding that new thing you just plugged in without having to look at the DHCP server. I often use it to figure out if guests are having trouble connecting (because they really wanted to connect then didnt) and showing up to assist before they have to ask. It’s very handy.

I’ve been thinking about this and other solutions that I would be OK with is notifications for captive portal authentication, or some sort of NAC/NAP, or a device inventory package of sorts. I could have a Terms and Conditions captive portal with unlimited expiration and an email notification, that might be easier than building a whole new package. I dont want to install another server and for something this lightweight I feel that the DHCP box (IPFire) is a good location. I just want a notification the first time a new device connects without having to login to see.

I was reviewing how to build a package and I just cant do that. No computer for that, no time either (family duties take priority always). Here is the source if someone else wants to give it a shot. If you have a build environment already it shouldn’t take long at all. https://ee.lbl.gov/downloads/arpwatch/

1 Like

I would like to have arpwatch in IPfire. I had one on old server with Debian but new Debian has systemd and arpwatch package was not migrated to systemd in correct way and it is broken. Arpwatch logs history of all MAC addresses seen in LAN and this information could be used for troubleshooting or security audit…

for what it is worth, I believe much of the needed info is available in the messages log. Here is a snippet of my message log:

Jun 11 00:31:29 ipfire dhcpd: Commit: IP: 192.168.75.157  MAC: 00:07:a6:22:28:2e  Name: LEVDS-Dimmer  MAC2: 00:07:a6:22:28:2e
Jun 11 00:31:29 ipfire dhcpd: DHCPREQUEST for 192.168.75.157 from 00:07:a6:22:28:2e (LEVDS-Dimmer) via blue0
Jun 11 00:31:29 ipfire dhcpd: Wrote 0 deleted host decls to leases file.
Jun 11 00:31:29 ipfire dhcpd: Wrote 0 new dynamic host decls to leases file.
Jun 11 00:31:29 ipfire dhcpd: Wrote 140 leases to leases file.
Jun 11 00:31:29 ipfire dhcpd: DHCPACK on 192.168.75.157 to 00:07:a6:22:28:2e (LEVDS-Dimmer) via blue0

These days, with the developers so very busy, I would suggest to have you, or one of the other above posters, build up arpwatch. There are very few developers (all volunteers) and lots to do. If interested in helping, there is information in the Development area of the wiki:

3 Likes

3 posts were split to a new topic: Why bogon packets?