draft on-going - this produces too many files. We need a more elegant way to track and handle the ARPs
Instead of actively searching for peers with nmap as shown in the script below, you might want to do that on a gateway instead. In an case you will get only a defined subnet. We are not monitoring the whole LAN.
Also this is not live monitoring. The cron job may be setup at a five minute rate or so (even though the scan itself takes a few seconds and depending on the scan method chosen in the script).
The arp -a command also does name resolution (static and dynamic), so we can check against both DNS and ARP cache poisoning at once.
First, you need to make sure you will receive crontabs' output by email
tail -F /var/log/mail.log tail -F /var/log/maillog date | mail -s `hostname` root
Prepare a first shot
mkdir -p $HOME/arp/ cd $HOME/arp/ arp -a | sort > `date +%s`
get the script up and running in a cron job
cd ~/bin/ wget http://pub.nethence.com/bin/backup/arpcheck.ksh.txt mv -i arpcheck.ksh.txt arpcheck.ksh chmod +x arpcheck.ksh vi arpcheck.ksh subnet=x.x.x.x/xx
and check
$HOME/bin/arpcheck.ksh
crontab -e PATH=/usr/local/sbin:/usr/local/bin:/usr/pkg/sbin:/usr/pkg/bin:/usr/sbin:/usr/bin:/sbin:/bin:$HOME/bin */5 * * * * /root/bin/arpcheck.ksh
What are the reasons for seeing an incomplete ARP? https://networkengineering.stackexchange.com/questions/50843/what-are-the-reasons-for-seeing-an-incomplete-arp
Command-line tool to obtain OUI vendor info from MAC address? https://unix.stackexchange.com/questions/248769/command-line-tool-to-obtain-oui-vendor-info-from-mac-address