Probe: arp_neighbor#
Monitors the resolutions of IP addresses to MAC addresses. Triggers events if unknown resolutions appears or a newly observed resolutions conflicts with a static or learned dynamic one.
Inspected Packets#
This probe looks for packets with the following characteristics:
- EtherType: ARP
Configuration#
probes:
arp_neighbor:
# enable this probe
enable: true
# enable learning dynamic resolutions
dynamic_enable: true
# list of static resolutions
static_resolutions:
- ip: 192.0.2.1
mac: 00:00:5e:00:53:01
- ip: 192.0.2.42
mac: 00:00:5e:00:53:2a
See also: schema description
Events#
| Name | Description |
|---|---|
ARP_NEIGHBOR_NEW_DYNAMIC | dynamic_enable is true and a resolution is learned |
ARP_NEIGHBOR_SPOOFED_DYNAMIC | an observed resolution conflicts with a dynamic learned one |
ARP_NEIGHBOR_SPOOFED_STATIC | an observed resolution conflicts with a static configured one |
ARP_NEIGHBOR_UNKNOWN | dynamic_enable is false and a resolution is unknown |