[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OT: Arpwatch - meaning of bogon

To: Kai Gallasch <kai.gallasch@ruhr-uni-bochum.de>, ports@openbsd.org
Subject: Re: OT: Arpwatch - meaning of bogon
From: "Richard Johnson" <rdump@river.com>
Date: Mon, 18 Dec 2000 18:53:02 -0700

At 14:30 -0700 on 12/16/00, Kai Gallasch wrote:
> I was wondering what the arpwatch-entry in syslog
>
>
> ---snip---
>
> ns1 arpwatch: bogon 123.123.123.123 0:0:c0:d5:66:f7
>
> ---snip---
>
>
> stands for..
> Maybe it`s got something to do with "bogus on" - but
> what could be meant by bogus?

Others have already pointed out that 'bogon' means a particle of bogosity.
In that case, arpwatch is telling you that IP address 123.123.123.123 is
bogus because it doesn't fit in the net/width of your listening interface.

arpwatch 2.1a10 circa 14 Oct. 2000 (freebsd/openbsd port not updated yet?)
has a couple of the features from a patch I suggested a few months ago,
though with saner command line options and presumably saner coding.

I needed arpwatch to record any IP, even bogons, or to consider IPs in
specified nets OK even if the IPs didn't match the base net/width of the
listening interface.

  SYNOPSIS
     arpwatch [ -dN ] [ -f datafile ] [ -i interface ]
             [ -n net[/width ]] [ -r file ]
...
     The -n flag specifies additional local networks. This can be
     useful to avoid "bogon" warnings when there is more than one
     network running on the same wire. If the optional  width  is
     not  specified,  the default netmask for the network's class
     is used.
...
     The -N flag disables reporting any bogons.

The rest of the features I suggested in my patch (alternate email
destinations, support for ignoring specified MAC address mismatches [1])
seem to have not made the grade. :-)

I'll see about updating my MAC address mismatch masking for the new
arpwatch version after the new year, unless someone wants it sooner.

Richard

[1] You'll see a lot of the following if you're watching ARPs from across
an 802.11b wireless bridge to a 10baseT LAN or the like:

      ethernet mismatch
          The  source  mac  ethernet  address  didn't  match  the
          address inside the arp packet.

The source MAC addr on the packet will of course be that of the
wireless<->ethernet bridge, while the MAC addr inside the packet will be
the other host's actual ethernet MAC addr.

References:
- OT: Arpwatch - meaning of bogon
  - From: Kai Gallasch <kai.gallasch@ruhr-uni-bochum.de>

Prev by Date: Ari-yahoo.
Next by Date: Re: i386 extended vs. double precision math
Prev by thread: Re: OT: Arpwatch - meaning of bogon
Next by thread: kmail vindicated: kdeutils2
Index(es):
- Date
- Thread