#!/usr/bin/perl -Tw
use constant EMAIL => 'email@yourdomain.com';
use constant SERVER => 'mail.yourdomain.com';
use Net::PcapUtils;
use Net::SMTP;
use NetPacket::ARP;
use NetPacket::Ethernet qw/:types/;
use strict;
my %ether;
my $mail = Net::SMTP->new(SERVER);
Net::PcapUtils::loop(
sub {
my ($arg, $header, $packet) = @_;
my $ethernet = NetPacket::Ethernet->decode($packet);
if ($ethernet->{'type'} == ETH_TYPE_ARP) {
my $arp = NetPacket::ARP->decode($ethernet->{'data'}, $eth
+ernet);
my $ip = join '.', map { hex } ($arp->{'spa'} =~ /([[:xdig
+it:]]{2})/g);
my $mac = join ':', ($arp->{'sha'} =~ /([[:xdigit:]]{2})/g
+);
if ((exists $ether{$ip}) && ($ether{$ip} ne $mac)) {
$mail->to(EMAIL);
$mail->mail('root@yourdomain.com');
$mail->data;
$mail->datasend("There has been a change in the MAC ad
+dress associated with IP address ", $ip, "!\n\n");
$mail->datasend(" Previous hardware MAC address ->
+", $ether{$ip}, "\n");
$mail->datasend(" Current hardware MAC address -> "
+, $mac, "\n");
$mail->dataend;
$mail->quit;
}
$ether{$ip} = $mac;
}
},
'DEV' => 'eth0'
);
In reply to ARP Watch
by rob_au
-
Are you posting in the right place? Check out Where do I post X? to know for sure.
-
Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
<code> <a> <b> <big>
<blockquote> <br /> <dd>
<dl> <dt> <em> <font>
<h1> <h2> <h3> <h4>
<h5> <h6> <hr /> <i>
<li> <nbsp> <ol> <p>
<small> <strike> <strong>
<sub> <sup> <table>
<td> <th> <tr> <tt>
<u> <ul>
-
Snippets of code should be wrapped in
<code> tags not
<pre> tags. In fact, <pre>
tags should generally be avoided. If they must
be used, extreme care should be
taken to ensure that their contents do not
have long lines (<70 chars), in order to prevent
horizontal scrolling (and possible janitor
intervention).
-
Want more info? How to link
or How to display code and escape characters
are good places to start.
|
