Skip to content

ARP Resolution Probe

Module Status

MVP

Monitors the mapping of static & dynamic IP addresses to mac addresses. Triggers if a new dynamic mapping appears or a conflict is observed.

Functionality

Inspect all ARP packets for mappings for IP and MAC addresses.

  1. If a mapping matches a statically configured mapping, nothing happens.
  2. If a mapping matches a dynamically created mapping, nothing happens.
  3. If the mapping is unknown and dynamic mappings are activated, create this mapping as a dynamic one.
  4. If a mapping is conflicting with an existing static or dynamic mapping, an event is created.

Events

ARP_MONITOR_LEARNED
A new dynamic ARP resolution has been learned. This event can only be triggered if dynamic ARP learning is enabled.
ARP_MONITOR_SPOOFED_DYNAMIC
A conflicting ARP resolution for an existing dynamic one has been observed. This event can only be triggered if dynamic ARP learning is configured.
ARP_MONITOR_SPOOFED_STATIC
A conflicting ARP resolution for an configured static one has been observed.
ARP_MONITOR_UNKNOWN
A unknown ARP resolution has been observed while dynamic ARP learning is disabled.

Metrics

ixpect_arp_monitor_ip_count{type=static,mac_addr=xx:xx:xx:xx:xx:xx,ip_addr=192.0.2.42,allowed=false} 0
ixpect_arp_monitor_ip_count{type=dynamic}
ixpect_arp_monitor_static_ip_count

Configuration

probes:
  arp_monitor:
    enable: true 
    static_resolutions:
      - ip: "x.x.x.x"
        mac: "xx:xx:xx:xx:xx:xx"
      - ip: "x.x.x.x"
        mac: "xx:xx:xx:xx:xx:xx"
      - ip: "x.x.x.x"
        mac: "xx:xx:xx:xx:xx:xx"
    dynamic_enable: false