Project name: IPwatchD – IP conflict detection tool
Author: Jaroslav Imrich
Project’s Home Page: IPwatchD
Introduction
When using a GNU/Linux operating system, from time to time you may come across a situation where network connectivity was interrupted due to the IP conflict. An IP conflict event occurs when two or more hosts on the same network are configured with identical IP addresses. At the present, there appears to be no code in the Linux kernel to take care of this situation by means of appropriate Gratuitous ARP response . Very often a network administrator is left in the complete ignorance by the Linux kernel and needs to troubleshoot IP conflict the hard way. 
Fortunately, there is a simple daemon called IPwatchD which main purpose is to catch and evaluate packets on the network and this way is able to prevent an IP conflict occurrence. This is done by help of libpcap library. IPwatchD daemon is written in C language and can run in passive or active modes. The difference between a passive and active mode is that in the passive mode IPwatchD only logs every IP conflict event by engaging syslog daemon, and in active mode IPwatchD takes one step further and responds to Gratuitous ARP request which is the main construction block when it comes to the IP conflict prevention. This article will explore this simple daemon in terms of installation, configuration and usage.
Prerequisites
Before we can install IPwatchD under the GNU/Linux operating system it is recommended to confirm that all prerequisites needed by IPwatchD are installed on the system. Here is a list of packages you would need to install on Ubuntu 8.10.
* build-essential - C compiler and other development tools
* libpcap-dev - Network packet capture library
* libnet1-dev - Network packet construction library
* libnotify-dev - sends desktop notifications to a notification daemon
On ubuntu or debian linux you can install those packages with a following linux command:
# apt-get install build-essential libpcap-dev libnet1-dev libnotify-dev
Installation
Now, that we have installed all required prerequisites, it is time to compile and install IPwatchD daemon. There are two types of IPwatchD installations.
- Desktop version with build-in GUI message notification
- Server version which encompasses just the IPwatchd daemon without a GUI message notification
Difference between Desktop and Server version is that in Desktop version IPwatchD reacts to the IP conflict event by displaying a message on the GUI as well as to the relevant long files. In the contrary to the Desktop version, Server version only logs an IP conflict event to the relevant log files.
IPwatchD Desktop version
The installation routine of IPwatchD for both Desktop and Server versions is very similar. Download IPwatchD source code tarball and enter following linux commands:
$ bunzip2 ipwatchd-x.x.tar.bz2
$ tar xvjf ipwatchd-x.x.tar
$ cd ipwatchd-x.x/src
$ make
Once a binary is compiled, login as a superuser (root) and enter:
# make install
IPwatchD Server version
To install a IPwatchD server version compile a IPwatchd source code by:
$ bunzip2 ipwatchd-x.x.tar.bz2
$ tar xvjf ipwatchd-x.x.tar
$ cd ipwatchd-x.x/src
$ make daemon
Once a binary is compiled, login a superuser (root) and enter:
# make install
At this point all IPwatchD executable binaries are copied into the /usr/local/sbin. The configuration file can be found in /usr/local/etc directory.
NOTE: To uninstall IPwatchD, simply as a root user issue a command:
make unistall
Configuration
As it was already mentioned above, an IPwatchD daemon can work in two modes. To instruct this daemon to listen on the eth0 in active mode amend a configuration file /usr/local/etc/ipwatchd.conf with a following line:
eth0 active
IpwatchD daemon is also able to work with virtual interfaces. So feel free to add line “eth0:1 passive” if you want IPwatchD listen on eth0:1 network interface in a passive mode.
Usage
Curent version of IPwatchD 1.1.1 does not start by it self. To start IPwatchD run a following linux command as a root user:
# /usr/local/sbin/ipwatchd -c /usr/local/etc/ipwatchd.conf
Confirm that IPwatchD is running on your system by ps command:
ps aux | grep ipwatchd
You should get an output similar to the one below:
root 10814 0.0 0.2 2032 572 ? Ss 19:27 0:00
/usr/local/sbin/ipwatchd -c /usr/local/etc/ipwatchd.conf
root 10818 0.0 0.3 3240 796 pts/1 R+ 19:27 0:00 grep ipwatchd
To logic here is as follows, modern operating systems are trying to avoid an IP conflict by sending a special type of ARP broadcast packets at the boot time or during a network interface reconfiguration. This type of special broadcast packet is called [http://wiki.wireshark.org/Gratuitous_ARP Gratuitous ARP]. The purpose of the Gratuitous ARP packet is to discover, if an IP address they are about to acquire is not already taken by yet another host.
An alternative to the GUI notification message is a syslog file. IPwatchD also logs all relevant IP conflict events into the syslog file. Here is a sample message generated by IPwatchD daemon:
an 11 20:50:47 linuxconfig-desktop IPwatchD[13215]: MAC address 8:0:27:b6:5a:6c causes
IP conflict with address 10.1.1.6 set on interface eth0 - active mode - reply sent
Jan 11 20:50:47 linuxconfig-desktop avahi-daemon[3965]: Withdrawing address
record for 10.1.1.6 on eth0.
NOTE: To stop IPwatchD daemon you can use kill command. This way IPwatchD daemon receives SIGTERM signal which will gracefully stop this process, release a used memory and stop listening on a network interface. For the long run, to make it automatic, you can also create some simple daemon init.d script and link it from an appropriate runlevel directory on your system.
Conclusion
IPwatchD is certainly a handy tool which can sometimes save you a day. However, there are also some limitations. Current version of IPwatchD 1.1.1 is limited to only GNOME graphical user interface. Nevertheless, it is still possible to use a Server version and refer to the syslog file in case of some unexpected connectivity problems.