LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
Reload this Page Monitor dhcp for unknown mac addresses
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
LinkBack Search this Thread
Old 10-25-2009, 07:25 AM   #1
targettl
Member
 
Registered: Sep 2009
Location: Launceston
Distribution: Kubuntu
Posts: 84

Rep: Reputation: 16
Monitor dhcp for unknown mac addresses

I am using Ubuntu Server and would like to recieve an email once a day listing mac address's that have requested an ip address that are not in my list of known mac address's.

#!/bin/sh
mac=`grep DHCPREQUEST /var/log/syslog | cut -c 77-94`
#shows all macs that have requested an ip
#this will produce something like
#mac1
#mac2
#mac3

lookup=`grep $mac /root/dhcp.macs`
#This does not work as the first entry mac1 will be okay but mac2 and mac3 will not
#It will try to use mac2 as the file to look in which won't exist
#I need to make it loop through for each line of the variable and add that to the lookup value

diff $mac $lookup
#I think this should differentiate known from unknown if i can get a lookup value
 
Old 10-25-2009, 11:30 AM   #2
ilikejam
Senior Member
Contributing Member
 
Registered: Aug 2003
Location: Glasgow
Distribution: Fedora / Solaris
Posts: 3,104

Rep: Reputation: 92
Hi.

I'd sort the two MAC lists, then use 'comm' to find MACs in syslog that aren't in /root/dhcp.macs .

Something like:
Code:
sort /root/dhcp.macs > /tmp/dhcp.macs.sort
grep DHCPREQUEST /var/log/syslog | cut -c 77-94 | sort > /tmp/syslog.macs.sort
comm -3 /tmp/dhcp.macs.sort /tmp/syslog.macs.sort
rm -f /tmp/syslog.macs.sort /tmp/dhcp.macs.sort
Dave
Last edited by ilikejam; 10-25-2009 at 11:32 AM.
 
Old 10-26-2009, 12:19 AM   #3
targettl
Member
 
Registered: Sep 2009
Location: Launceston
Distribution: Kubuntu
Posts: 84

Original Poster
Rep: Reputation: 16
Why are you sorting the files?
Is it because for the comm command to work entries have to be on the same line.
If so this will not work as not all clients will request dhcp and then stuff will be on different lines.

Any other commands that compare files?
If one file contain a mac address that the other doesn't it will show up and that will have to work if they are in different locations of the file
 
Old 10-26-2009, 12:40 AM   #4
targettl
Member
 
Registered: Sep 2009
Location: Launceston
Distribution: Kubuntu
Posts: 84

Original Poster
Rep: Reputation: 16
file1 file2
mac1 mac3
mac2 mac4
mac3 mac8
mac4 mac9

I would like a command that would compare each line in file2 with file1 or vise versa and output the lines that are not found in the comparison file. In this example mac8 and mac9 should be displayed as there is no entry on any line of file1 for these.
 
Old 10-26-2009, 02:47 AM   #5
targettl
Member
 
Registered: Sep 2009
Location: Launceston
Distribution: Kubuntu
Posts: 84

Original Poster
Rep: Reputation: 16
Here is my solution tested and works

#!/bin/sh

#shows macs that have requested an ip
grep DHCPREQUEST /var/log/syslog | cut -c 77-94 > /root/todaysrequests

#looks up to see if a mac address is known and places in a file if it isn't
grep -v -f /root/dhcp.macs /root/todaysrequests > /root/unknownaddress

/usr/bin/mail -s "DHCP Security" "admin@domain" < /root/unknownaddresses
Last edited by targettl; 10-26-2009 at 06:27 AM.
 
Old 10-26-2009, 06:08 AM   #6
ilikejam
Senior Member
Contributing Member
 
Registered: Aug 2003
Location: Glasgow
Distribution: Fedora / Solaris
Posts: 3,104

Rep: Reputation: 92
Hi again.

'comm' only works on sorted lists. The MACs should actually be run through 'uniq' too.
The following does exactly what you're looking for, as far as I can see:
Code:
sort /root/dhcp.macs | uniq > /tmp/dhcp.macs.sort
grep DHCPREQUEST /var/log/syslog | cut -c 77-94 | sort | uniq > /tmp/syslog.macs.sort
comm -3 /tmp/dhcp.macs.sort /tmp/syslog.macs.sort
rm -f /tmp/syslog.macs.sort /tmp/dhcp.macs.sort
Dave
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Ethernet MAC Addresses database; MAC address-based processing cctualatin Linux - Newbie 1 04-14-2009 09:59 AM
DHCP assign only to certain MAC addresses mdelliott Linux - Networking 2 07-02-2008 02:07 PM
Binding 2 NICs (MAC addresses) to 2 IP Addresses in same Subnet RedHat EL4.0 skhira Linux - Networking 13 02-24-2008 09:16 PM
Binding 2 NICs (MAC addresses) to 2 IP Addresses in same Subnet RedHat EL4.0 skhira Linux - Networking 1 02-09-2008 08:17 AM


All times are GMT -5. The time now is 11:59 AM.

Contact Us - Advertising Info - Rules - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
 
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: @linuxquestions
Open Source Consulting | Domain Registration