[c-nsp] Getting ARP table from SNMP

[Ed Ravin]

On Tue, Oct 17, 2006 at 01:07:39PM -0400, Shenk, Jerry A wrote:
> How do you use arpwatch to pull arp tables from a router?  That seems
> like it would be a very useful tool.  I've used arpwatch to monitor arp
> traffic.  I just reviewed my documentation too and I just don't see how
> to do that...I'd love to see an example.  I'm using version 2.1....I'll
> have to look for an update.

Arpwatch comes with an auxilliary program called "arpsnmp".  It's a bit
of a misnomer since it only parses a file created by someone else
polling SNMP.  I had to write my own poller, but it was just a call
to snmpwalk and then a little massaging of the output into a format that
arpsnmp could eat.  See attachment (arpfetch.pl).

Once you download the router's ARP table via SNMP, you can call arpsnmp
which will create an "arp.dat" file with timestamps of the last
time a particular IP address was seen, with the MAC address that it was using.

Here's an excerpt from a script I use to create a bunch of .dat files
with IP/MAC mappings.  I have other scripts that dig through the .dat
files that produce reports.

ARPSNMP="/usr/local/sbin/arpsnmp -d"  # don't send email
ARPFETCH=/usr/local/sbin/arpfetch.pl

community=public
for host in "routera routerb routerc"
do
        $ARPFETCH $host $community > $host.fetch
        touch $host.dat  # file must exist
        $ARPSNMP -f $host.dat $host.fetch > /dev/null 2>&1
done