[c-nsp] Getting ARP table from SNMP

[Ed Ravin]

On Tue, Oct 17, 2006 at 02:03:16PM -0400, Ed Ravin wrote:
> Arpwatch comes with an auxilliary program called "arpsnmp".  It's a bit
> of a misnomer since it only parses a file created by someone else
> polling SNMP.  I had to write my own poller, but it was just a call
> to snmpwalk and then a little massaging of the output into a format that
> arpsnmp could eat.  See attachment (arpfetch.pl).

Now that's odd - the attachment is there in my outbox copy, so I definitely
sent it to the list, but it looks like it got stripped.  Here it is in
text format - note that your email client may mung things like < > &
symbols, do word wrap, or other damage.

-------------------   cut here -------------
#!/usr/local/bin/perl

# usage: arpfetch.pl router-hostname community

use strict;

my $router= $ARGV[0];
my $community= $ARGV[1];

my $oid="ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaPhysAddress";
open SNMP, "snmpwalk -t 2 $router $community $oid|" || die $!;

# ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaPhysAddress.1.192.168.1.253 =  Hex: 00 10 20 30 40 50

while (<SNMP>)
{
	my ($ip, $junkorether, $ether)= /(\d+\.\d+\.\d+\.\d+)\s+=\s+(Hex:)?\s*([0-9a-fA-F]+[: ][0-9a-fA-F]+[: ][0-9a-fA-F]+[: ][0-9a-fA-F]+[: ][0-9a-fA-F]+[: ][0-9a-fA-F]+)/;
	if (defined $ip and (defined $junkorether or defined $ether))
	{
		$ether= $junkorether unless defined $ether;
		$ether=~ s/ /:/g;
		$ether=~ tr/A-F/a-f/;
		$ether=~ s/0([0-9a-f])/$1/g;
		print "$ether\t$ip\n";
	}
	else
	{
		print STDERR "Cannot parse line $.: $_\n";
	}
}