Community discussions

MikroTik App
 
Devin
newbie
Topic Author
Posts: 32
Joined: Wed Dec 21, 2011 4:08 pm

ARP Watch Script

Fri Jan 04, 2013 8:03 pm

:local ipaddr;
:local macaddr;
:local iface;
:local macoui;
:local macnotfound;
:local ipnotfound;
:local oldmac;
:local oldip;
/ip arp
:foreach i in=[ /ip arp find ] do={
  :set ipaddr [get $i address]
  :set macaddr [get $i mac-address]
  :set iface [get $i interface]
  :if ([/ip firewall address-list find list="arpwatch" comment=$macaddr] = "") do {
     :set macnotfound "true";
  } else={
     :set macnotfound "false";
  }
  :if ([/ip firewall address-list find list="arpwatch" address=$ipaddr] = "") do {
     :set ipnotfound "true";
  }  else={
     :set ipnotfound "false";
  }
  :if ( $macnotfound = "true" && $ipnotfound = "true" ) do {
    /ip firewall address-list add list="arpwatch" address=$ipaddr comment=$macaddr disabled=yes
    :log warning ("New MAC address: $macaddr ($ipaddr@$iface)")
    :set macoui ([:tostr [:pick $macaddr 0]] . [:tostr [:pick $macaddr 1]] . [:tostr [:pick $macaddr 3]] . [:tostr [:pick $macaddr 4]] . [:tostr [:pick $macaddr 6]] . [:tostr [:pick $macaddr 7]])
    /tool e-mail send to="arpwatch@ken-tennwireless.com" subject="ARPWatch - Info" body="New ARP Entry: $macaddr ($ipaddr@$iface)\r\n\r\nManufacturer: http://standards.ieee.org/cgi-bin/ouisearch?$macoui"
  }
  :if ( $macnotfound = "false" && $ipnotfound = "true" ) do {
     :foreach ip in=[/ip firewall address-list find list="arpwatch" comment=$macaddr] do={
       :set oldip [get $ip address]
     }
     /ip firewall address-list remove [/ip firewall address-list find address=$oldip]
     /ip firewall address-list add list="arpwatch" address=$ipaddr comment=$macaddr disabled=yes
    :log warning ("New MAC address: $macaddr ($ipaddr@$iface)")
    :set macoui ([:tostr [:pick $macaddr 0]] . [:tostr [:pick $macaddr 1]] . [:tostr [:pick $macaddr 3]] . [:tostr [:pick $macaddr 4]] . [:tostr [:pick $macaddr 6]] . [:tostr [:pick $macaddr 7]])
    /tool e-mail send to="arpwatch@ken-tennwireless.com" subject="ARPWatch - Warning" body="WARNING: IP Address Changed: $oldip -> $ipaddr ($ipaddr@$iface)\r\n\r\nManufacturer: http://standards.ieee.org/cgi-bin/ouisearch?$macoui"
  }
  :if ( $macnotfound = "true" && $ipnotfound = "false" ) do {
    :foreach mac in=[/ip firewall address-list find list="arpwatch" address=$ipaddr] do={
       :set oldmac [get $mac comment]
     }
     /ip firewall address-list remove [/ip firewall address-list find comment=$oldmac]
     /ip firewall address-list add list="arpwatch" address=$ipaddr comment=$macaddr disabled=yes
    :log warning ("New MAC address: $macaddr ($ipaddr@$iface)")
    :set macoui ([:tostr [:pick $macaddr 0]] . [:tostr [:pick $macaddr 1]] . [:tostr [:pick $macaddr 3]] . [:tostr [:pick $macaddr 4]] . [:tostr [:pick $macaddr 6]] . [:tostr [:pick $macaddr 7]])
    /tool e-mail send to="arpwatch@ken-tennwireless.com" subject="ARPWatch - Warning" body="WARNING: MAC Address Changed: $oldmac -> $macaddr ($ipaddr@$iface)\r\n\r\nManufacturer: http://standards.ieee.org/cgi-bin/ouisearch?$macoui"
  }
  :if ( $macnotfound = "false" && $ipnotfound = "false" ) do { 
    :log warning ("IP: $ipaddr and MAC: $macaddr already have been added") 
  }
}
1:51pm 1/4/13: fixed the syntax dumbspaces between :if (

Let me know if it works?

Thanks,
Devin
Devin Babb
Network Administrator
Ken-Tenn Wireless
devin@ken-tennwireless.com
 
Devin
newbie
Topic Author
Posts: 32
Joined: Wed Dec 21, 2011 4:08 pm

Re: ARP Watch Script

Fri Jan 18, 2013 5:33 pm

Does anyone have any problems using this script?
Devin Babb
Network Administrator
Ken-Tenn Wireless
devin@ken-tennwireless.com
 
User avatar
boen_robot
Forum Guru
Forum Guru
Posts: 2411
Joined: Thu Aug 31, 2006 4:43 pm
Location: europe://Bulgaria/Plovdiv

Re: ARP Watch Script

Fri Jan 18, 2013 5:48 pm

It seems like no one has actually used it... perhaps because they don't need to.

What exactly is the purpose anyway? Just a logger for any changes in the ARP list? If people need this in realtime, an API application is a better choice (and is trivial to write with the "listen" command).
PEAR2_Net_RouterOS(1.0.0b6) - My API client in PHP
(Rate my posts? If you want... no pressure...)
 
User avatar
Taner
just joined
Posts: 5
Joined: Thu Nov 22, 2018 11:48 am

Re: ARP Watch Script

Mon Feb 15, 2021 12:46 am

Hello :)
I confirm!
It works!
I changed the DHCP server lease to 365 days and I scheduled to run the script every 24 hours ;)
And the false alarms are reduced to zero.

Thank you for the script.
Best Regards!
 
User avatar
nichky
Long time Member
Long time Member
Posts: 676
Joined: Tue Jun 23, 2015 2:35 pm

Re: ARP Watch Script

Mon Feb 15, 2021 2:03 am

sorry, what this script does?
RouterOS does not have a random function. Many has tried to make script to make random text, but all seems to be flawed.
viewtopic.php?f=9&t=160183

!) Safe Mode is your friend;
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1915
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: ARP Watch Script

Mon Feb 15, 2021 1:14 pm

It was posted in 2013, so not sure OP is still using this forum :)

In short, it just create and updates an arp table list that sends log and email when new stuff appears or changes.
Se my comments in the script (just a quick review, may be som errors.)
PS you can also send the DHCP logs to get more or less the samme information.
:local ipaddr;
:local macaddr;
:local iface;
:local macoui;
:local macnotfound;
:local ipnotfound;
:local oldmac;
:local oldip;
/ip arp

#Lists all data in /ip arp table
:foreach i in=[ /ip arp find ] do={
  :set ipaddr [get $i address]
  :set macaddr [get $i mac-address]
  :set iface [get $i interface]
  
  #If mac found in arpwarch list set macnotfound true, else false
  :if ([/ip firewall address-list find list="arpwatch" comment=$macaddr] = "") do {
     :set macnotfound "true";
  } else={
     :set macnotfound "false";
  }
  
  #If IP found in arpwatch list set ipnotfound true, else false
  :if ([/ip firewall address-list find list="arpwatch" address=$ipaddr] = "") do {
     :set ipnotfound "true";
  }  else={
     :set ipnotfound "false";
  }
  
  #If not mac and nor ip are found, add both to address list and give a warning and send an email
  :if ( $macnotfound = "true" && $ipnotfound = "true" ) do {
    /ip firewall address-list add list="arpwatch" address=$ipaddr comment=$macaddr disabled=yes
    :log warning ("New MAC address: $macaddr ($ipaddr@$iface)")
    :set macoui ([:tostr [:pick $macaddr 0]] . [:tostr [:pick $macaddr 1]] . [:tostr [:pick $macaddr 3]] . [:tostr [:pick $macaddr 4]] . [:tostr [:pick $macaddr 6]] . [:tostr [:pick $macaddr 7]])
    /tool e-mail send to="arpwatch@ken-tennwireless.com" subject="ARPWatch - Info" body="New ARP Entry: $macaddr ($ipaddr@$iface)\r\n\r\nManufacturer: http://standards.ieee.org/cgi-bin/ouisearch?$macoui"
  }
  
  #If mac found but IP not, find old IP, and replace with new and send email
  :if ( $macnotfound = "false" && $ipnotfound = "true" ) do {
     :foreach ip in=[/ip firewall address-list find list="arpwatch" comment=$macaddr] do={
       :set oldip [get $ip address]
     }
     /ip firewall address-list remove [/ip firewall address-list find address=$oldip]
     /ip firewall address-list add list="arpwatch" address=$ipaddr comment=$macaddr disabled=yes
    :log warning ("New MAC address: $macaddr ($ipaddr@$iface)")
    :set macoui ([:tostr [:pick $macaddr 0]] . [:tostr [:pick $macaddr 1]] . [:tostr [:pick $macaddr 3]] . [:tostr [:pick $macaddr 4]] . [:tostr [:pick $macaddr 6]] . [:tostr [:pick $macaddr 7]])
    /tool e-mail send to="arpwatch@ken-tennwireless.com" subject="ARPWatch - Warning" body="WARNING: IP Address Changed: $oldip -> $ipaddr ($ipaddr@$iface)\r\n\r\nManufacturer: http://standards.ieee.org/cgi-bin/ouisearch?$macoui"
  }
  
  #If mac not found, but ip found, find ip and update mac and send email
  :if ( $macnotfound = "true" && $ipnotfound = "false" ) do {
    :foreach mac in=[/ip firewall address-list find list="arpwatch" address=$ipaddr] do={
       :set oldmac [get $mac comment]
     }
     /ip firewall address-list remove [/ip firewall address-list find comment=$oldmac]
     /ip firewall address-list add list="arpwatch" address=$ipaddr comment=$macaddr disabled=yes
    :log warning ("New MAC address: $macaddr ($ipaddr@$iface)")
    :set macoui ([:tostr [:pick $macaddr 0]] . [:tostr [:pick $macaddr 1]] . [:tostr [:pick $macaddr 3]] . [:tostr [:pick $macaddr 4]] . [:tostr [:pick $macaddr 6]] . [:tostr [:pick $macaddr 7]])
    /tool e-mail send to="arpwatch@ken-tennwireless.com" subject="ARPWatch - Warning" body="WARNING: MAC Address Changed: $oldmac -> $macaddr ($ipaddr@$iface)\r\n\r\nManufacturer: http://standards.ieee.org/cgi-bin/ouisearch?$macoui"
  }
  :if ( $macnotfound = "false" && $ipnotfound = "false" ) do { 
    :log warning ("IP: $ipaddr and MAC: $macaddr already have been added") 
  }
}
 
Why do not use Splunk to monitor your MikroTik Router(s)? Look at this page in how to set it up.

MikroTik->Splunk
 
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1915
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: ARP Watch Script

Mon Feb 15, 2021 10:50 pm

Script is ok, but do miss som = after do.
I do mostly get the same information from my DHCP script.
This script do also get the interface or bridge info and info from devices with static IP.
DHCP gives more info about the device.
 
Why do not use Splunk to monitor your MikroTik Router(s)? Look at this page in how to set it up.

MikroTik->Splunk
 

Who is online

Users browsing this forum: Baidu [Spider], nescafe2002, Sajad2010 and 20 guests