Community discussions

MikroTik App
 
Devin
newbie
Topic Author
Posts: 32
Joined: Wed Dec 21, 2011 4:08 pm

ARP Watch Script

Fri Jan 04, 2013 8:03 pm

:local ipaddr;
:local macaddr;
:local iface;
:local macoui;
:local macnotfound;
:local ipnotfound;
:local oldmac;
:local oldip;
/ip arp
:foreach i in=[ /ip arp find ] do={
  :set ipaddr [get $i address]
  :set macaddr [get $i mac-address]
  :set iface [get $i interface]
  :if ([/ip firewall address-list find list="arpwatch" comment=$macaddr] = "") do {
     :set macnotfound "true";
  } else={
     :set macnotfound "false";
  }
  :if ([/ip firewall address-list find list="arpwatch" address=$ipaddr] = "") do {
     :set ipnotfound "true";
  }  else={
     :set ipnotfound "false";
  }
  :if ( $macnotfound = "true" && $ipnotfound = "true" ) do {
    /ip firewall address-list add list="arpwatch" address=$ipaddr comment=$macaddr disabled=yes
    :log warning ("New MAC address: $macaddr ($ipaddr@$iface)")
    :set macoui ([:tostr [:pick $macaddr 0]] . [:tostr [:pick $macaddr 1]] . [:tostr [:pick $macaddr 3]] . [:tostr [:pick $macaddr 4]] . [:tostr [:pick $macaddr 6]] . [:tostr [:pick $macaddr 7]])
    /tool e-mail send to="arpwatch@ken-tennwireless.com" subject="ARPWatch - Info" body="New ARP Entry: $macaddr ($ipaddr@$iface)\r\n\r\nManufacturer: http://standards.ieee.org/cgi-bin/ouisearch?$macoui"
  }
  :if ( $macnotfound = "false" && $ipnotfound = "true" ) do {
     :foreach ip in=[/ip firewall address-list find list="arpwatch" comment=$macaddr] do={
       :set oldip [get $ip address]
     }
     /ip firewall address-list remove [/ip firewall address-list find address=$oldip]
     /ip firewall address-list add list="arpwatch" address=$ipaddr comment=$macaddr disabled=yes
    :log warning ("New MAC address: $macaddr ($ipaddr@$iface)")
    :set macoui ([:tostr [:pick $macaddr 0]] . [:tostr [:pick $macaddr 1]] . [:tostr [:pick $macaddr 3]] . [:tostr [:pick $macaddr 4]] . [:tostr [:pick $macaddr 6]] . [:tostr [:pick $macaddr 7]])
    /tool e-mail send to="arpwatch@ken-tennwireless.com" subject="ARPWatch - Warning" body="WARNING: IP Address Changed: $oldip -> $ipaddr ($ipaddr@$iface)\r\n\r\nManufacturer: http://standards.ieee.org/cgi-bin/ouisearch?$macoui"
  }
  :if ( $macnotfound = "true" && $ipnotfound = "false" ) do {
    :foreach mac in=[/ip firewall address-list find list="arpwatch" address=$ipaddr] do={
       :set oldmac [get $mac comment]
     }
     /ip firewall address-list remove [/ip firewall address-list find comment=$oldmac]
     /ip firewall address-list add list="arpwatch" address=$ipaddr comment=$macaddr disabled=yes
    :log warning ("New MAC address: $macaddr ($ipaddr@$iface)")
    :set macoui ([:tostr [:pick $macaddr 0]] . [:tostr [:pick $macaddr 1]] . [:tostr [:pick $macaddr 3]] . [:tostr [:pick $macaddr 4]] . [:tostr [:pick $macaddr 6]] . [:tostr [:pick $macaddr 7]])
    /tool e-mail send to="arpwatch@ken-tennwireless.com" subject="ARPWatch - Warning" body="WARNING: MAC Address Changed: $oldmac -> $macaddr ($ipaddr@$iface)\r\n\r\nManufacturer: http://standards.ieee.org/cgi-bin/ouisearch?$macoui"
  }
  :if ( $macnotfound = "false" && $ipnotfound = "false" ) do { 
    :log warning ("IP: $ipaddr and MAC: $macaddr already have been added") 
  }
}
1:51pm 1/4/13: fixed the syntax dumbspaces between :if (

Let me know if it works?

Thanks,
Devin
 
Devin
newbie
Topic Author
Posts: 32
Joined: Wed Dec 21, 2011 4:08 pm

Re: ARP Watch Script

Fri Jan 18, 2013 5:33 pm

Does anyone have any problems using this script?
 
User avatar
boen_robot
Forum Guru
Forum Guru
Posts: 2400
Joined: Thu Aug 31, 2006 4:43 pm
Location: europe://Bulgaria/Plovdiv

Re: ARP Watch Script

Fri Jan 18, 2013 5:48 pm

It seems like no one has actually used it... perhaps because they don't need to.

What exactly is the purpose anyway? Just a logger for any changes in the ARP list? If people need this in realtime, an API application is a better choice (and is trivial to write with the "listen" command).
 
User avatar
Taner
just joined
Posts: 12
Joined: Thu Nov 22, 2018 11:48 am

Re: ARP Watch Script

Mon Feb 15, 2021 12:46 am

Hello :)
I confirm!
It works!
I changed the DHCP server lease to 365 days and I scheduled to run the script every 24 hours ;)
And the false alarms are reduced to zero.

Thank you for the script.
Best Regards!
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1275
Joined: Tue Jun 23, 2015 2:35 pm

Re: ARP Watch Script

Mon Feb 15, 2021 2:03 am

sorry, what this script does?
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: ARP Watch Script

Mon Feb 15, 2021 1:14 pm

It was posted in 2013, so not sure OP is still using this forum :)

In short, it just create and updates an arp table list that sends log and email when new stuff appears or changes.
Se my comments in the script (just a quick review, may be som errors.)
PS you can also send the DHCP logs to get more or less the samme information.
:local ipaddr;
:local macaddr;
:local iface;
:local macoui;
:local macnotfound;
:local ipnotfound;
:local oldmac;
:local oldip;
/ip arp

#Lists all data in /ip arp table
:foreach i in=[ /ip arp find ] do={
  :set ipaddr [get $i address]
  :set macaddr [get $i mac-address]
  :set iface [get $i interface]
  
  #If mac found in arpwarch list set macnotfound true, else false
  :if ([/ip firewall address-list find list="arpwatch" comment=$macaddr] = "") do {
     :set macnotfound "true";
  } else={
     :set macnotfound "false";
  }
  
  #If IP found in arpwatch list set ipnotfound true, else false
  :if ([/ip firewall address-list find list="arpwatch" address=$ipaddr] = "") do {
     :set ipnotfound "true";
  }  else={
     :set ipnotfound "false";
  }
  
  #If not mac and nor ip are found, add both to address list and give a warning and send an email
  :if ( $macnotfound = "true" && $ipnotfound = "true" ) do {
    /ip firewall address-list add list="arpwatch" address=$ipaddr comment=$macaddr disabled=yes
    :log warning ("New MAC address: $macaddr ($ipaddr@$iface)")
    :set macoui ([:tostr [:pick $macaddr 0]] . [:tostr [:pick $macaddr 1]] . [:tostr [:pick $macaddr 3]] . [:tostr [:pick $macaddr 4]] . [:tostr [:pick $macaddr 6]] . [:tostr [:pick $macaddr 7]])
    /tool e-mail send to="arpwatch@ken-tennwireless.com" subject="ARPWatch - Info" body="New ARP Entry: $macaddr ($ipaddr@$iface)\r\n\r\nManufacturer: http://standards.ieee.org/cgi-bin/ouisearch?$macoui"
  }
  
  #If mac found but IP not, find old IP, and replace with new and send email
  :if ( $macnotfound = "false" && $ipnotfound = "true" ) do {
     :foreach ip in=[/ip firewall address-list find list="arpwatch" comment=$macaddr] do={
       :set oldip [get $ip address]
     }
     /ip firewall address-list remove [/ip firewall address-list find address=$oldip]
     /ip firewall address-list add list="arpwatch" address=$ipaddr comment=$macaddr disabled=yes
    :log warning ("New MAC address: $macaddr ($ipaddr@$iface)")
    :set macoui ([:tostr [:pick $macaddr 0]] . [:tostr [:pick $macaddr 1]] . [:tostr [:pick $macaddr 3]] . [:tostr [:pick $macaddr 4]] . [:tostr [:pick $macaddr 6]] . [:tostr [:pick $macaddr 7]])
    /tool e-mail send to="arpwatch@ken-tennwireless.com" subject="ARPWatch - Warning" body="WARNING: IP Address Changed: $oldip -> $ipaddr ($ipaddr@$iface)\r\n\r\nManufacturer: http://standards.ieee.org/cgi-bin/ouisearch?$macoui"
  }
  
  #If mac not found, but ip found, find ip and update mac and send email
  :if ( $macnotfound = "true" && $ipnotfound = "false" ) do {
    :foreach mac in=[/ip firewall address-list find list="arpwatch" address=$ipaddr] do={
       :set oldmac [get $mac comment]
     }
     /ip firewall address-list remove [/ip firewall address-list find comment=$oldmac]
     /ip firewall address-list add list="arpwatch" address=$ipaddr comment=$macaddr disabled=yes
    :log warning ("New MAC address: $macaddr ($ipaddr@$iface)")
    :set macoui ([:tostr [:pick $macaddr 0]] . [:tostr [:pick $macaddr 1]] . [:tostr [:pick $macaddr 3]] . [:tostr [:pick $macaddr 4]] . [:tostr [:pick $macaddr 6]] . [:tostr [:pick $macaddr 7]])
    /tool e-mail send to="arpwatch@ken-tennwireless.com" subject="ARPWatch - Warning" body="WARNING: MAC Address Changed: $oldmac -> $macaddr ($ipaddr@$iface)\r\n\r\nManufacturer: http://standards.ieee.org/cgi-bin/ouisearch?$macoui"
  }
  :if ( $macnotfound = "false" && $ipnotfound = "false" ) do { 
    :log warning ("IP: $ipaddr and MAC: $macaddr already have been added") 
  }
}
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: ARP Watch Script

Mon Feb 15, 2021 10:50 pm

Script is ok, but do miss som = after do.
I do mostly get the same information from my DHCP script.
This script do also get the interface or bridge info and info from devices with static IP.
DHCP gives more info about the device.

Who is online

Users browsing this forum: No registered users and 14 guests