[SOLVED] Need program to get ARP table changes via netlink socket

bayarealad · 08-29-2017, 08:06 PM

Hi Ikshudm, I linked libnl using -lnl in gcc command line. However I still do not know how to parse the message and extract ip address, mac address, device name, state of arp entry. Please let me know ASAP if you have figured it out. I look forward to hearing from you.

bayarealad · 08-30-2017, 05:50 AM

Hi Ikshudm, I am able to receive the events when arp is added or deleted. Also nl_object_dump does print the arp entry.

Hi Ikshudm/rigor, However I still do not know how to parse and extract ip address, mac address, device, state of the arp entry from the netlink message. Please let me know if you have any information about that.

bayarealad · 08-31-2017, 07:55 PM

Hi, I am able to successfully parse the netlink message. Is there a way to know if the arp update I received is due to arp add, or arp delete or arp replace ?

justmy2cents · 09-01-2017, 01:11 AM

Theres a tool called Arpwatch which keep track of ethernet/ip address pairings. It syslogs activity and reports certain changes via email. Arpwatch uses pcap to listen for arp packets on a local ethernet interface..

shadowsong · 11-10-2020, 10:04 AM

hi rigor,
I compile you code, and can be run. But this is a problem that it can not got all the arp.
and I found the code:

rtatp = ( struct rtattr * ) IFA_RTA( rtmp ) ;
rtattrlen = IFA_PAYLOAD( nlmp ) ;

is not right!

I modity to:
#define _IFA_RTA(r) ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct ndmsg))))
#define _IFA_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct ndmsg))

rtatp = ( struct rtattr * ) _IFA_RTA( rtmp ) ;
rtattrlen = _IFA_PAYLOAD( nlmp ) ;

and it is good to get most all ARPS