Our networks seem to be under constant attack, if not from evil-doers then from accidents or unenlightenned people.
EthLog passively watches the network for machines sending ARP packets - the packet used before TCP or UDP is used to connect to the device. It watches the IP and MAC addresses which pass by on the Ethernet. It constructs a table of known MAC and IP addresses, and SYSLOGs any changes detected - including notes such as a single MAC used for two or more IP addresses, or a MAC stealing an IP address from another MAC.
EthLog will detect
EthLog should be be installed on one Windows computer per subnet. I hope to get a VLAN trunk version for 2.0 which will allow one machine to listen on multiple subnets.
The computer can be a server or workstation. Only XP, 2K or NT are currently supported. The computer should not be a student lab computer because the extra drivers loaded could be used to stage an attack.
EthLog runs as a Windows Service, it continues to execute whether a user is logged in or not, and the user is unaware of its presenece.
c:\nexus\ethlog /install
Then go to the Services manager and start the EthLog service
The file N:\nexus\arptable will grow with a list of found IP/Mac addresses. And as the addresses are discoverred, they will be logged to engprint's var/log/ethernet file, along with notes such as if multiple IPs originate from that MAC, or if the mac has stolen another mac's IP address.
If this program is not being used on Nexus, you may wish to move the syslogs to a different host. Set the registry key HKEY_LOCAL_MACHINE\Software\uwaterloo\nexus\EthLog\sysloghost to a text string containing the name of the desired syslog host. You can specify DNS or dotted ip. Dotted IP is better because it doesn't have to do a DNS lookup every time it is used - and you can change the syslog host at any time without restarting the service. The syslog is sent as user.5