ARP Daemon

<< Click to Display Table of Contents >>

Navigation:  Monitoring with EventSentry > Network Services >

ARP Daemon

The ARP daemon component of EventSentry's network services listens to all network traffic on one or more interfaces. It collects statistics about MAC addresses being used on the network as well as issues alerts when new MAC addresses are found or when IP - MAC address mappings are changed. The ARP daemon goes through an initial learning period of 2 weeks, after which it assumes to have a useful baseline of all network devices on the network.





Provides real-time information on MAC address usage and changes.


When was a MAC address first and last seen on the network?

With which IP address is a MAC address associated with?

With with hostname is a MAC address associated with?

With which vendor is a MAC address associated with?



In addition to providing statistical information about the network, the ARP daemon also issues alerts under the following circumstances:


A new MAC address was discovered outside the initial learning period

A MAC address is registering itself with an IP address that is already registered with a different MAC address (possible ARP spoof attempt)






In order for the ARP daemon component to run, either "Detect new MAC addresses" or "Detect spoof attempts" needs to be checked.



Configure on which interface(s) the ARP daemon should listen for network traffic by specifying on or more MAC addresses. While not absolutely necessary, best results are achieved if the interface(s) the ARP daemon is listening is connected to a switch port which receives all network traffic of the switch. A port on the switch which receives all network traffic (as opposed to the default, where it only receives traffic directed to the registered MAC addresses) is usually referred to as a monitor port.