5.02021-11-21T22:06:05ZTemplatesARP MonitoringARP Monitoring## Description
Rafael Gustavo Gassner 02/2021 This script activelly scans arp and sends to zabbix server using zabbix_sender. arp-scan should be installed and interfaces variable should be configured for your environment. You will want to run every 10 minutes or so, using crontab. First run(s) might not populate data, since LLD items are still beeing created in zabbix server. With the script and template, you will be able to: - Detect newly connected devices on the network. - Have a history of which macs were used by which ips and vice versa. - Detect if there are multiple ips associated to the same mac. - Detect if there are multiple macs associated to the same ip address. - Identify the active period on the network for each device. Since this is designed for a small environment, the trigger for new device has no recovery expression, and should be manually disabled. You can configure the "new device" trigger disabled for initial run. After that you could disable each trigger mannualy when you have recognized the new device as not beeing a rogue one. In the zabbix template, "Allowed hosts" variable should be configured for your environment in item prototypes and in discovery rule.
## Overview
This script activelly scans arp and sends to zabbix server using zabbix\_sender.
arp-scan should be installed and interfaces variable should be configured for your environment.
You will want to run every 10 minutes or so, using crontab.
First run(s) might not populate data, since LLD items are still beeing created in zabbix server.
With the script and template, you will be able to:
* Detect newly connected devices on the network.
* Have a history of which macs were used by which ips and vice versa.
* Detect if there are multiple ips associated to the same mac.
* Detect if there are multiple macs associated to the same ip address.
* Identify the active period on the network for each device.
Since this is designed for a small environment, the trigger for new device has no recovery expression, and should be manually disabled.
<p style="box-sizing: border-box; margin-top: 0px; margin-bottom: 16px; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica, Ar
## Author
Rafael Gustavo Gassner
TemplatesARPAddress discoveryTRAParp.discovery010.0.0.0/8,192.168.0.0/16,127.0.0.0/8Ip address count for mac {#HWADDRESS}TRAParp.ipCount[{#HWADDRESS}]07d10.0.0.0/8,192.168.0.0/16,127.0.0.0/8IPARP{last(#1)}<>0New device using mac {#HWADDRESS} and IP {#IPADDRESS} detected by {HOST.HOST} arp table.INFOIdentify new physical addresses in the same network as your host. Triggers should be disabled mannualy. Recommended to create triggers disabled on the first run.featurearpMac(s) associated with IP {#IPADDRESS}TRAParp.ipMacs[{#IPADDRESS}]07d0TEXT10.0.0.0/8,192.168.0.0/16,127.0.0.0/8ARPMac address count for IP {#IPADDRESS}TRAParp.macCount[{#IPADDRESS}]07d10.0.0.0/8,192.168.0.0/16,127.0.0.0/8macARPIp address(es) associated with mac {#HWADDRESS}TRAParp.macIps[{#HWADDRESS}]07d0TEXT10.0.0.0/8,192.168.0.0/16,127.0.0.0/8ARP{ARP Monitoring:arp.macCount[{#IPADDRESS}].last(#1)}>1 and {ARP Monitoring:arp.ipMacs[{#IPADDRESS}].str(lala,#1)}=0IP {#IPADDRESS} in use in more than one mac detected by {HOST.HOST} arp table. Adresses found {ITEM.LASTVALUE2}INFOfeaturearp{ARP Monitoring:arp.ipCount[{#HWADDRESS}].last(#1)}>1 and {ARP Monitoring:arp.macIps[{#HWADDRESS}].str(lala,#1)}=0Mac {#HWADDRESS} in use in more than one IP detected by {HOST.HOST} arp table. Adresses found {ITEM.LASTVALUE2}INFOfeaturearp{#HWADDRESS}$.HWAddress{#IPADDRESS}$.ipAddress