NAME¶
ndpmon - Neighbor Discovery Protocol Monitor
SYNOPSIS¶
ndpmon [
-i interfacename ] [
-f configfile ]
[
-d dtd_file ] [
-F filter ]
[
-n number ] [
-L ] [
-v ] [
-h ] [
-d dtd_file ]
[
-g neighbor_file ]
DESCRIPTION¶
NDPMon is a monitoring software for ipv6 Neighbor Discovery. It syslogs
activity and reports by email malicious ND message.
NDPMon uses
libpcap to listen for icmp6 packets and
libxml2 to use
configuration and neighbor cache files.
The
-i flag is used to change the default interface eth0.
The
-f flag is used to change the path of the configuration file. The
default is
/etc/ndpmon/config_ndpmon.xml
The
-e flag is used to change the path to the DTD file for the
configuration file. The default is
/etc/ndpmon/config_ndpmon.dtd
The
-n flag uses libpcap to specify a limited number of packet to
capture.
The
-F flag allows one to change the default icmp6 filter.
The
-L flag is used to disable syslog and mail reports. This is used to
do a learning phase and constitue the neighbor cache.
The
-v is used to enable the DEBUG mode.
The
-d flag is used to change the path to the DTD file for the neighbor
cache. The default is
/var/lib/ndpmon/neighbor_list.dtd
The
-g flag is used to change the path to the neighbor cache. The default
is
/var/lib/ndpmon/neighbor_list.xml
Note that an empty
neighbor_cache.xml file must be created before the
first time you run
ndpmon.
NDPMon must be run with
root rights to work.
REPORT MESSAGES¶
Here's the list of the report messages generated by
ndpmon:
- wrong couple MAC/IP
- Separately, the MAC and IP addresses are valid, but not as
a couple.
- wrong router mac
- The ethernet address of the RA message is not specified in
the configuration file.
- wrong router ip
- The ip address of the RA message is not specified in the
configuration file.
- wrong prefix
- The prefix announced in the RA message is not specified in
the configuration file.
- wrong router redirect
- The RD message does'nt come from a router specified in the
configuration file.
- NA router flag
- The NA specifies a router but isn't one according to the
configuration file.
- DAD DOS
- The NA answer to NS to avoid it to get an ip address.
- changed ethernet address
- The host switched to a new ethernet address.
- flip flop
- The ethernet address has changed from the most recently
seen address to the second most recently seen address.
- reused old ethernet address
- The ethernet address has changed from the most recently
seen address to the third (or greater) least recently seen address.
SYSLOG MESSAGES¶
Here are some of the syslog messages; note that messages that are reported are
also sysloged.
- new activity
- This ethernet/ip6 address pair has been announced for last
time two months or more.
- new station
- The ethernet address has not been seen before on the
link.
- ethernet broadcast
- The mac ethernet address of the host is a broadcast
address.
- ip broadcast
- The ip address of the host is a broadcast address.
- bogon
- The source ip address is not local to the local
subnet.
- ethernet mismatch
- The source mac ethernet address didn't match the address
announced in option of the ND message.
FILES¶
config_ndpmon.xml - contains settings which must be fill by the administrator
neighbor_list.xml - neighbor cache: all neighbors known to be on the link
SEE ALSO¶
arpwatch(8) ipv6(7),
pcap(3),
libxml(3).
AUTHOR¶
Thibault Cholez and Frederic Beck for MADYNES Project, Loria, Fr.
BUGS¶
- Please send bug reports to frederic.beck@loria.fr
- or thibault.cholez@esial.uhp-nancy.fr