ARP Watch Script

Devin · January 4, 2013, 6:03pm

:local ipaddr;
:local macaddr;
:local iface;
:local macoui;
:local macnotfound;
:local ipnotfound;
:local oldmac;
:local oldip;
/ip arp
:foreach i in=[ /ip arp find ] do={
  :set ipaddr [get $i address]
  :set macaddr [get $i mac-address]
  :set iface [get $i interface]
  :if ([/ip firewall address-list find list="arpwatch" comment=$macaddr] = "") do {
     :set macnotfound "true";
  } else={
     :set macnotfound "false";
  }
  :if ([/ip firewall address-list find list="arpwatch" address=$ipaddr] = "") do {
     :set ipnotfound "true";
  }  else={
     :set ipnotfound "false";
  }
  :if ( $macnotfound = "true" && $ipnotfound = "true" ) do {
    /ip firewall address-list add list="arpwatch" address=$ipaddr comment=$macaddr disabled=yes
    :log warning ("New MAC address: $macaddr ($ipaddr@$iface)")
    :set macoui ([:tostr [:pick $macaddr 0]] . [:tostr [:pick $macaddr 1]] . [:tostr [:pick $macaddr 3]] . [:tostr [:pick $macaddr 4]] . [:tostr [:pick $macaddr 6]] . [:tostr [:pick $macaddr 7]])
    /tool e-mail send to="arpwatch@ken-tennwireless.com" subject="ARPWatch - Info" body="New ARP Entry: $macaddr ($ipaddr@$iface)\r\n\r\nManufacturer: http://standards.ieee.org/cgi-bin/ouisearch?$macoui"
  }
  :if ( $macnotfound = "false" && $ipnotfound = "true" ) do {
     :foreach ip in=[/ip firewall address-list find list="arpwatch" comment=$macaddr] do={
       :set oldip [get $ip address]
     }
     /ip firewall address-list remove [/ip firewall address-list find address=$oldip]
     /ip firewall address-list add list="arpwatch" address=$ipaddr comment=$macaddr disabled=yes
    :log warning ("New MAC address: $macaddr ($ipaddr@$iface)")
    :set macoui ([:tostr [:pick $macaddr 0]] . [:tostr [:pick $macaddr 1]] . [:tostr [:pick $macaddr 3]] . [:tostr [:pick $macaddr 4]] . [:tostr [:pick $macaddr 6]] . [:tostr [:pick $macaddr 7]])
    /tool e-mail send to="arpwatch@ken-tennwireless.com" subject="ARPWatch - Warning" body="WARNING: IP Address Changed: $oldip -> $ipaddr ($ipaddr@$iface)\r\n\r\nManufacturer: http://standards.ieee.org/cgi-bin/ouisearch?$macoui"
  }
  :if ( $macnotfound = "true" && $ipnotfound = "false" ) do {
    :foreach mac in=[/ip firewall address-list find list="arpwatch" address=$ipaddr] do={
       :set oldmac [get $mac comment]
     }
     /ip firewall address-list remove [/ip firewall address-list find comment=$oldmac]
     /ip firewall address-list add list="arpwatch" address=$ipaddr comment=$macaddr disabled=yes
    :log warning ("New MAC address: $macaddr ($ipaddr@$iface)")
    :set macoui ([:tostr [:pick $macaddr 0]] . [:tostr [:pick $macaddr 1]] . [:tostr [:pick $macaddr 3]] . [:tostr [:pick $macaddr 4]] . [:tostr [:pick $macaddr 6]] . [:tostr [:pick $macaddr 7]])
    /tool e-mail send to="arpwatch@ken-tennwireless.com" subject="ARPWatch - Warning" body="WARNING: MAC Address Changed: $oldmac -> $macaddr ($ipaddr@$iface)\r\n\r\nManufacturer: http://standards.ieee.org/cgi-bin/ouisearch?$macoui"
  }
  :if ( $macnotfound = "false" && $ipnotfound = "false" ) do { 
    :log warning ("IP: $ipaddr and MAC: $macaddr already have been added") 
  }
}

1:51pm 1/4/13: fixed the syntax dumbspaces between :if (

Let me know if it works?

Thanks,
Devin

Devin · January 18, 2013, 3:33pm

Does anyone have any problems using this script?

boen_robot · January 18, 2013, 3:48pm

It seems like no one has actually used it… perhaps because they don’t need to.

What exactly is the purpose anyway? Just a logger for any changes in the ARP list? If people need this in realtime, an API application is a better choice (and is trivial to write with the “listen” command).

Taner · February 14, 2021, 10:46pm

Hello
I confirm!
It works!
I changed the DHCP server lease to 365 days and I scheduled to run the script every 24 hours
And the false alarms are reduced to zero.

Thank you for the script.
Best Regards!

nichky · February 15, 2021, 12:03am

sorry, what this script does?

Jotne · February 15, 2021, 11:14am

It was posted in 2013, so not sure OP is still using this forum

In short, it just create and updates an arp table list that sends log and email when new stuff appears or changes.
Se my comments in the script (just a quick review, may be som errors.)
PS you can also send the DHCP logs to get more or less the samme information.

:local ipaddr;
:local macaddr;
:local iface;
:local macoui;
:local macnotfound;
:local ipnotfound;
:local oldmac;
:local oldip;
/ip arp

#Lists all data in /ip arp table
:foreach i in=[ /ip arp find ] do={
  :set ipaddr [get $i address]
  :set macaddr [get $i mac-address]
  :set iface [get $i interface]
  
  #If mac found in arpwarch list set macnotfound true, else false
  :if ([/ip firewall address-list find list="arpwatch" comment=$macaddr] = "") do {
     :set macnotfound "true";
  } else={
     :set macnotfound "false";
  }
  
  #If IP found in arpwatch list set ipnotfound true, else false
  :if ([/ip firewall address-list find list="arpwatch" address=$ipaddr] = "") do {
     :set ipnotfound "true";
  }  else={
     :set ipnotfound "false";
  }
  
  #If not mac and nor ip are found, add both to address list and give a warning and send an email
  :if ( $macnotfound = "true" && $ipnotfound = "true" ) do {
    /ip firewall address-list add list="arpwatch" address=$ipaddr comment=$macaddr disabled=yes
    :log warning ("New MAC address: $macaddr ($ipaddr@$iface)")
    :set macoui ([:tostr [:pick $macaddr 0]] . [:tostr [:pick $macaddr 1]] . [:tostr [:pick $macaddr 3]] . [:tostr [:pick $macaddr 4]] . [:tostr [:pick $macaddr 6]] . [:tostr [:pick $macaddr 7]])
    /tool e-mail send to="arpwatch@ken-tennwireless.com" subject="ARPWatch - Info" body="New ARP Entry: $macaddr ($ipaddr@$iface)\r\n\r\nManufacturer: http://standards.ieee.org/cgi-bin/ouisearch?$macoui"
  }
  
  #If mac found but IP not, find old IP, and replace with new and send email
  :if ( $macnotfound = "false" && $ipnotfound = "true" ) do {
     :foreach ip in=[/ip firewall address-list find list="arpwatch" comment=$macaddr] do={
       :set oldip [get $ip address]
     }
     /ip firewall address-list remove [/ip firewall address-list find address=$oldip]
     /ip firewall address-list add list="arpwatch" address=$ipaddr comment=$macaddr disabled=yes
    :log warning ("New MAC address: $macaddr ($ipaddr@$iface)")
    :set macoui ([:tostr [:pick $macaddr 0]] . [:tostr [:pick $macaddr 1]] . [:tostr [:pick $macaddr 3]] . [:tostr [:pick $macaddr 4]] . [:tostr [:pick $macaddr 6]] . [:tostr [:pick $macaddr 7]])
    /tool e-mail send to="arpwatch@ken-tennwireless.com" subject="ARPWatch - Warning" body="WARNING: IP Address Changed: $oldip -> $ipaddr ($ipaddr@$iface)\r\n\r\nManufacturer: http://standards.ieee.org/cgi-bin/ouisearch?$macoui"
  }
  
  #If mac not found, but ip found, find ip and update mac and send email
  :if ( $macnotfound = "true" && $ipnotfound = "false" ) do {
    :foreach mac in=[/ip firewall address-list find list="arpwatch" address=$ipaddr] do={
       :set oldmac [get $mac comment]
     }
     /ip firewall address-list remove [/ip firewall address-list find comment=$oldmac]
     /ip firewall address-list add list="arpwatch" address=$ipaddr comment=$macaddr disabled=yes
    :log warning ("New MAC address: $macaddr ($ipaddr@$iface)")
    :set macoui ([:tostr [:pick $macaddr 0]] . [:tostr [:pick $macaddr 1]] . [:tostr [:pick $macaddr 3]] . [:tostr [:pick $macaddr 4]] . [:tostr [:pick $macaddr 6]] . [:tostr [:pick $macaddr 7]])
    /tool e-mail send to="arpwatch@ken-tennwireless.com" subject="ARPWatch - Warning" body="WARNING: MAC Address Changed: $oldmac -> $macaddr ($ipaddr@$iface)\r\n\r\nManufacturer: http://standards.ieee.org/cgi-bin/ouisearch?$macoui"
  }
  :if ( $macnotfound = "false" && $ipnotfound = "false" ) do { 
    :log warning ("IP: $ipaddr and MAC: $macaddr already have been added") 
  }
}

Jotne · February 15, 2021, 8:50pm

Script is ok, but do miss som = after do.
I do mostly get the same information from my DHCP script.
This script do also get the interface or bridge info and info from devices with static IP.
DHCP gives more info about the device.