View Single Post
  #6   (View Single Post)  
Old 6th March 2009
Bruco Bruco is offline
Fdisk Soldier
 
Join Date: May 2008
Location: Kalamazoo, MI, USA
Posts: 61
Default

This is what one of the emails from arpwatch looks like. In this example the device plugged in was an HP thin client. Those do broadcast a NetBIOS name, but do not register in DNS:

Code:
            hostname: <unknown>
          ip address: 192.168.3.8
    ethernet address: 0:f:20:d9:5b:23
     ethernet vendor: Hewlett Packard
           timestamp: Monday, March 2, 2009 15:42:03 -0500
If a name exists in DNS, arpwatch will include it in that email. Not if it's just a NetBIOS name, though. If I could cram that nmblookup into what arpwatch does somehow it would probably do the trick!

(And yes, you are probably noticing that weird MAC address - I think arpwatch has problems with 0 as the first character in each set. Not a big deal.)

phoenix - Yeah, you are right. And I could do MAC filtering on my Cisco switches too. But I don't think they want me to be that exclusive... yet. So for the time being I can content myself with knowing whenever a new device plugs into the network!
Reply With Quote