[NTLUG:Discuss] Delete host from Arpwatch database
Kenneth Loafman
kenneth at loafman.com
Mon May 18 16:03:58 CDT 2009
CoryC wrote:
> I've been using Arpwatch for a while on my network here at work and
> just realized something quite frustrating. Whenever I delete a host
> entry from the database they keep showing up even after the host has
> been physically removed from the network and the server rebooted. I
> have reproduced this on two different servers on two different
> networks.
>
> I'm running CentOS 4.7 and the entries are stored in
> /var/arpwatch/arp.dat and a backup file /var/arpwatch/arp.dat-
> (Hyphen intentional).
>
> If I bring up a new computer/virtual machine, Arpwatch detects the
> mac & ip address and inserts them into the arp.dat and arp.dat-
> files.
>
> The machine goes off our network or the virtual machine is deleted
> and I delete the entries from the arp.dat & arp.dat- files. As soon
> as the Arpwatch service restarts the entry shows up in both files
> again....even after a reboot. The devices are no longer physically on
> the network but I can't figure out why they keep showing up. They
> don't show up in the arp table and I can't find anywhere else they
> are stored.
>
> I've search google using combination of Arpwatch, arp.dat, cache,
> purge, delete, flush, etc. and not found any mention of this issue
> before.
Routers and switches often maintain arp tables for a very long time.
You'll need to clear those as well.
...Ken
More information about the Discuss
mailing list