[NTLUG:Discuss] Delete host from Arpwatch database

[Eric Waguespack]

On Mon, May 18, 2009 at 3:42 PM, CoryC <oakleeman at yahoo.com> wrote:
>
> I've been using Arpwatch for a while on my network here at work and just realized something quite frustrating. Whenever I delete a host entry from the database they keep showing up even after the host has been physically removed from the network and the server rebooted. I have reproduced this on two different servers on two different networks.
>
> I'm running CentOS 4.7 and the entries are stored in /var/arpwatch/arp.dat and a backup file /var/arpwatch/arp.dat- (Hyphen intentional).
>
> If I bring up a new computer/virtual machine, Arpwatch detects the mac & ip address and inserts them into the arp.dat and arp.dat- files.
>
> The machine goes off our network or the virtual machine is deleted and I delete the entries from the arp.dat & arp.dat- files. As soon as the Arpwatch service restarts the entry shows up in both files again....even after a reboot. The devices are no longer physically on the network but I can't figure out why they keep showing up. They don't show up in the arp table and I can't find anywhere else they are stored.
>
> I've search google using combination of Arpwatch, arp.dat, cache, purge, delete, flush, etc. and not found any mention of this issue before.
>
> Any suggestions?
>


Are you deleting /var/arpwatch/arp.dat{,-} while arpwatch is running?
if you are then they may not really be gone due to the process having
the files open.

only thing I can think of off the top of my head though.