--- /dev/null
+Index: arpwatch/Makefile.in
+diff -u arpwatch/Makefile.in:1.1.1.1 arpwatch/Makefile.in:1.1.1.1.10.1
+--- arpwatch/Makefile.in:1.1.1.1 Tue Apr 17 13:31:36 2001
++++ arpwatch/Makefile.in Tue Apr 17 13:53:29 2001
+@@ -31,7 +31,8 @@
+ # Pathname of directory to install the man page
+ MANDEST = @mandir@
+ # Pathname of directory to install database file
+-ARPDIR = $(prefix)/arpwatch
++ARPDIR = /var/lib/arpwatch
++ETHERCODES = /usr/share/arpwatch/ethercodes.dat
+
+ # VPATH
+ srcdir = @srcdir@
+@@ -45,7 +46,8 @@
+ PROG = arpwatch
+ CCOPT = @V_CCOPT@
+ INCLS = -I. @V_INCLS@ -I/usr/include/pcap
+-DEFS = -DDEBUG @DEFS@ -DARPDIR=\"$(ARPDIR)\" -DPATH_SENDMAIL=\"$(SENDMAIL)\"
++DEFS = -DDEBUG @DEFS@ -DARPDIR=\"$(ARPDIR)\" -DPATH_SENDMAIL=\"$(SENDMAIL)\" \
++ -DETHERCODES=\"$(ETHERCODES)\"
+
+ # Standard CFLAGS
+ CFLAGS = $(CCOPT) $(DEFS) $(INCLS)
+Index: arpwatch/arpsnmp.8
+diff -u arpwatch/arpsnmp.8:1.1.1.1 arpwatch/arpsnmp.8:1.1.1.1.10.1
+--- arpwatch/arpsnmp.8:1.1.1.1 Tue Apr 17 13:31:36 2001
++++ arpwatch/arpsnmp.8 Tue Apr 17 13:53:29 2001
+@@ -1,4 +1,4 @@
+-.\" @(#) $Id$ (LBL)
++.\" @(#) $Id$ (LBL)
+ .\"
+ .\" Copyright (c) 1996, 1997, 1999, 2000
+ .\" The Regents of the University of California. All rights reserved.
+@@ -69,9 +69,9 @@
+ .na
+ .nh
+ .nf
+-/usr/operator/arpwatch - default directory
++/var/lib/arpwatch - default directory
+ arp.dat - ethernet/ip address database
+-ethercodes.dat - vendor ethernet block list
++/usr/share/arpwatch/ethercodes.dat - vendor ethernet block list
+ .ad
+ .hy
+ .fi
+Index: arpwatch/arpwatch.8
+diff -u arpwatch/arpwatch.8:1.1.1.1 arpwatch/arpwatch.8:1.1.1.1.10.1
+--- arpwatch/arpwatch.8:1.1.1.1 Tue Apr 17 13:31:36 2001
++++ arpwatch/arpwatch.8 Tue Apr 17 13:53:29 2001
+@@ -1,4 +1,4 @@
+-.\" @(#) $Id$ (LBL)
++.\" @(#) $Id$ (LBL)
+ .\"
+ .\" Copyright (c) 1992, 1994, 1996, 1997, 2000
+ .\" The Regents of the University of California. All rights reserved.
+@@ -152,9 +152,9 @@
+ .na
+ .nh
+ .nf
+-/usr/operator/arpwatch - default directory
++/var/lib/arpwatch - default directory
+ arp.dat - ethernet/ip address database
+-ethercodes.dat - vendor ethernet block list
++/usr/share/arpwatch/ethercodes.dat - vendor ethernet block list
+ .ad
+ .hy
+ .fi
+Index: arpwatch/arpwatch.h
+diff -u arpwatch/arpwatch.h:1.1.1.1 arpwatch/arpwatch.h:1.1.1.1.10.1
+--- arpwatch/arpwatch.h:1.1.1.1 Tue Apr 17 13:31:36 2001
++++ arpwatch/arpwatch.h Tue Apr 17 13:53:29 2001
+@@ -1,7 +1,7 @@
+ /* @(#) $Id$ (LBL) */
+
+ #define ARPFILE "arp.dat"
+-#define ETHERCODES "ethercodes.dat"
++/* #define ETHERCODES "ethercodes.dat" */
+ #define CHECKPOINT (15*60) /* Checkpoint time in seconds */
+
+ #define MEMCMP(a, b, n) memcmp((char *)a, (char *)b, n)
+Index: arpwatch/bihourly
+diff -u arpwatch/bihourly:1.1.1.1 arpwatch/bihourly:1.1.1.1.10.1
+--- arpwatch/bihourly:1.1.1.1 Tue Apr 17 13:31:36 2001
++++ arpwatch/bihourly Tue Apr 17 13:53:29 2001
+@@ -6,7 +6,7 @@
+ PATH=$PATH:/usr/local/sbin
+ export PATH
+ #
+-cd /usr/operator/arpwatch
++cd /var/lib/arpwatch
+ #
+ list=`cat list`
+ cname=`cat cname`
+@@ -14,7 +14,7 @@
+ #
+ alist=""
+ for r in $list; do \
+- ./arpfetch $r $cname > $r 2> $errs
++ arpfetch $r $cname > $r 2> $errs
+ if test -s $errs; then
+ echo "arpfetch $r failed:"
+ sed -e 's/^/ /' $errs
--- /dev/null
+Index: arpwatch/arp2ethers.8
+diff -u /dev/null arpwatch/arp2ethers.8:1.1.2.3
+--- /dev/null Sat Aug 14 03:19:34 2004
++++ arpwatch/arp2ethers.8 Thu Aug 12 14:37:09 2004
+@@ -0,0 +1,64 @@
++.TH ARP2ETHERS 8
++.SH NAME
++arp2ethers \- convert arpwatch address database to ethers file format
++.SH SYNOPSIS
++.na
++.B arp2ethers
++[
++.B arp.dat file
++]
++.ad
++.SH "DESCRIPTION"
++.B arp2ethers
++converts the file
++.IR /var/lib/arpwatch/arp.dat
++(or the file specified on the command line)
++into
++.BR ethers(5)
++format on
++.IR stdout .
++Usually
++.IR arp.dat
++is an ethernet/ip database file generated by
++.BR arpwatch(8) .
++The arpwatch daemon in Debian will create different
++.IR arp.dat
++depending on its configuration. All of them will be available at
++.IR /var/lib/arpwatch/ .
++.SH FILES
++.na
++.nh
++.nf
++/var/lib/arpwatch - default directory for arp.dat
++arp.dat - ethernet/ip address database
++.ad
++.hy
++.fi
++.SH "SEE ALSO"
++.na
++.nh
++.BR arpwatch (8),
++.BR ethers (5),
++.BR rarp (8),
++.BR arp (8),
++.ad
++.hy
++.SH BUGS
++Please send bug reports to arpwatch@ee.lbl.gov.
++.SH AUTHORS
++.LP
++Original version by Craig Leres of the Lawrence Berkeley
++National Laboratory Network Research Group, University of
++California, Berkeley, CA.
++.LP
++Modified for the Debian Project by Peter Kelemen, with
++additions from Erik Warmelink.
++.LP
++The current version is available via anonymous ftp:
++.LP
++.RS
++.I ftp://ftp.ee.lbl.gov/arpwatch.tar.gz
++.RE
++.LP
++This manual page was contributed by Hugo Graumann.
++
+Index: arpwatch/arpfetch.8
+diff -u /dev/null arpwatch/arpfetch.8:1.1.2.2
+--- /dev/null Sat Aug 14 03:19:34 2004
++++ arpwatch/arpfetch.8 Tue Apr 17 14:12:51 2001
+@@ -0,0 +1,63 @@
++.TH ARPFETCH 8
++.SH NAME
++arpfetch \- obtain ethernet/ip address pairings via snmp
++.SH SYNOPSIS
++.na
++arpfetch
++.I host
++.I cname
++.SH "DESCRIPTION"
++.B arpfetch
++gets pairings between ip addresses and the ethernet address of the
++corresponding network card. These pairings are retrieved from other
++network entities, like routers, by the SNMP protocol using
++.BR snmpwalk(1) .
++Mostly, this program is an agent that
++is used to get data for
++.BR arpsnmp(8) .
++This fetching of address mappings can be further automated by use of
++.BR bihourly(8) .
++.LP
++Both command arguments must be present for proper operation.
++The
++.IR host
++argument is the hostname of the network entity being queried and the
++.IR cname
++argument is the SNMP community name of the network entity.
++.LP
++The information is presented on
++.IR stdout
++in a format compatible with
++.BR arpsnmp(8)
++and
++.BR arpwatch(8) .
++.LP
++Further information about SNMP can be found in
++.BR snmpcmd(1)
++and
++.BR variables(5) .
++.SH "SEE ALSO"
++.na
++.nh
++.BR arpsnmp (8),
++.BR arpwatch(8),
++.BR bihourly (8),
++.BR snmpwalk (1),
++.BR snmpcmd (1),
++.BR variables (5)
++.ad
++.hy
++.SH BUGS
++Please send bug reports to arpwatch@ee.lbl.gov.
++.SH AUTHORS
++Craig Leres of the
++Lawrence Berkeley National Laboratory Network Research Group,
++University of California, Berkeley, CA.
++.LP
++The current version is available via anonymous ftp:
++.LP
++.RS
++.I ftp://ftp.ee.lbl.gov/arpwatch.tar.gz
++.RE
++.LP
++This manual page was contributed by Hugo Graumann.
+Index: arpwatch/arpsnmp.8
+diff -u arpwatch/arpsnmp.8:1.1.1.1 arpwatch/arpsnmp.8:1.1.1.1.16.2
+--- arpwatch/arpsnmp.8:1.1.1.1 Tue Apr 17 13:31:36 2001
++++ arpwatch/arpsnmp.8 Tue Apr 17 14:53:57 2001
+@@ -22,7 +22,7 @@
+ .TH ARPSNMP 8 "17 September 2000"
+ .UC 4
+ .SH NAME
+-arpsnmp - keep track of ethernet/ip address pairings
++arpsnmp \- keep track of ethernet/ip address pairings
+ .SH SYNOPSIS
+ .B arpsnmp
+ [
+Index: arpwatch/arpwatch.8
+diff -u arpwatch/arpwatch.8:1.1.1.1 arpwatch/arpwatch.8:1.1.1.1.16.2
+--- arpwatch/arpwatch.8:1.1.1.1 Tue Apr 17 13:31:36 2001
++++ arpwatch/arpwatch.8 Tue Apr 17 14:53:57 2001
+@@ -22,7 +22,7 @@
+ .TH ARPWATCH 8 "8 October 2000"
+ .UC 4
+ .SH NAME
+-arpwatch - keep track of ethernet/ip address pairings
++arpwatch \- keep track of ethernet/ip address pairings
+ .SH SYNOPSIS
+ .na
+ .B arpwatch
+Index: arpwatch/bihourly.8
+diff -u /dev/null arpwatch/bihourly.8:1.1.2.2
+--- /dev/null Sat Aug 14 03:19:34 2004
++++ arpwatch/bihourly.8 Tue Apr 17 14:12:51 2001
+@@ -0,0 +1,73 @@
++.TH BIHOURLY 8
++.SH NAME
++bihourly \- track ethernet/ip address pairs
++.SH SYNOPSIS
++.na
++bihourly
++.SH "DESCRIPTION"
++.B bihourly
++is a script that automates the operation of
++.B arpsnmp(8)
++by executing
++.B arpfetch(8)
++on a series of hostnames and then
++sending the results to
++.B arpsnmp(8)
++for analysis.
++.LP
++The result is a report of the current pairings
++between ip addresses and the corresponding ethernet address
++of the network hardware as reported by
++.B snmpwalk(8).
++Activity
++is logged and noted changes are reported by email.
++.LP
++In its working directory
++.B bihourly
++expects a file named
++.IR list
++which contains a space separated list of hostnames to be queried
++and a file named
++.IR cname
++which holds the SNMP community name by which to query these hosts.
++.LP
++Contrary to the name,
++.B bihourly
++does not run twice every hour. It
++runs once each time it is invoked. For repeated operation
++.B bihourly
++must be invoked on a periodic basis by a program like
++.B cron(1).
++.SH FILES
++.na
++.nh
++.nf
++/var/lib/arpwatch - default working directory
++list - file containing names of hosts to query
++cname - file containing the SNMP community name by which to query
++.ad
++.hy
++.fi
++.SH "SEE ALSO"
++.na
++.nh
++.BR arpsnmp (8),
++.BR arpfetch(8),
++.BR snmpwalk (8),
++.BR cron (8)
++.ad
++.hy
++.SH BUGS
++Please send bug reports to arpwatch@ee.lbl.gov.
++.SH AUTHORS
++Craig Leres of the
++Lawrence Berkeley National Laboratory Network Research Group,
++University of California, Berkeley, CA.
++.LP
++The current version is available via anonymous ftp:
++.LP
++.RS
++.I ftp://ftp.ee.lbl.gov/arpwatch.tar.gz
++.RE
++.LP
++This manual page was contributed by Hugo Graumann.
+Index: arpwatch/massagevendor.8
+diff -u /dev/null arpwatch/massagevendor.8:1.1.2.2
+--- /dev/null Sat Aug 14 03:19:34 2004
++++ arpwatch/massagevendor.8 Tue Apr 17 14:12:51 2001
+@@ -0,0 +1,91 @@
++.TH MASSAGEVENDOR 8
++.SH NAME
++massagevendor \- convert the ethernet vendor codes master list to arpwatch format
++.SH SYNOPSIS
++.na
++massagevendor
++.I vendorfile
++.SH "DESCRIPTION"
++.B massagevendor
++is a program that converts a text file containing ethernet vendor codes
++into a format suitable for use by
++.B arpwatch(8)
++and
++.B arpsnmp(8).
++The input
++.I vendorfile
++is a master text file containing vendor codes. The output
++is sent to
++.I stdout.
++Each line of the
++.I vendorfile
++is expected to have a six digit hexadecimal vendor code
++followed by spaces followed by the name of the manufacturer.
++.LP
++All ethernet devices have a unique identifier which
++includes a vendor code specifying the manufacturer of the
++device. In normal operation
++.B arpwatch(8)
++and
++.B arpsnmp(8)
++use the file
++.I ethercodes.dat
++to report this vendor code.
++.B massagevendor
++is used to generate the
++.I ethercodes.dat
++file from text files containing these vendor codes.
++.LP
++Locations where an ethernet vendor codes master text file
++can be obtained are given below.
++.SH FILES
++.na
++.nh
++.nf
++/usr/share/arpwatch - default location of the ethernet vendor list
++ethercodes.dat - file containing the list of ethernet vendor codes
++.ad
++.hy
++.fi
++.SH "SEE ALSO"
++.na
++.nh
++.BR arpwatch(8),
++.BR arpsnmp(8)
++.ad
++.hy
++.SH NOTES
++Sources for ethernet vendor codes seen in the wild are
++.LP
++.na
++.nh
++.nf
++.RS
++.I http://map-ne.com/Ethernet/vendor.html
++.I ftp://ftp.cavebear.com/pub/Ethernet.txt
++.I http://www.cavebear.com/CaveBear/Ethernet/vendor.html
++.RE
++.ad
++.hy
++.LP
++Useful for comparison or completeness are the
++ethernet vendor codes as assigned
++by the IEEE which can be found at
++.LP
++.RS
++.I http://standards.ieee.org/regauth/oui/oui.txt
++.RE
++.SH BUGS
++Please send bug reports to arpwatch@ee.lbl.gov.
++.SH AUTHORS
++Craig Leres of the
++Lawrence Berkeley National Laboratory Network Research Group,
++University of California, Berkeley, CA.
++.LP
++The current version is available via anonymous ftp:
++.LP
++.RS
++.I ftp://ftp.ee.lbl.gov/arpwatch.tar.gz
++.RE
++.LP
++This manual page was contributed by Hugo Graumann.
--- /dev/null
+Index: arpwatch/VERSION
+diff -u arpwatch/VERSION:1.1.1.3 arpwatch/VERSION:1.1.1.1.2.2
+--- arpwatch/VERSION:1.1.1.3 Tue Aug 10 10:53:34 2004
++++ arpwatch/VERSION Tue Aug 10 11:14:13 2004
+@@ -1 +1 @@
+-2.1a13
++2.1a13
+\ No newline at end of file
+Index: arpwatch/arpsnmp.8
+diff -u arpwatch/arpsnmp.8:1.1.1.1 arpwatch/arpsnmp.8:1.1.1.1.2.1
+--- arpwatch/arpsnmp.8:1.1.1.1 Tue Apr 17 13:31:36 2001
++++ arpwatch/arpsnmp.8 Thu Aug 12 22:16:18 2004
+@@ -27,10 +27,19 @@
+ .B arpsnmp
+ [
+ .B -d
+-] [
++]
++.\" **
++.\" **
++.br
++.ti +8
++[
+ .B -f
+ .I datafile
+ ]
++.\" **
++.\" **
++.br
++.ti +8
+ .I file
+ [
+ .I ...
+@@ -42,18 +51,24 @@
+ .B Arpsnmp
+ reads information from a file (usually generated by
+ .BR snmpwalk (8)).
++.\" **
++.\" **
+ .LP
+ The
+ .B -d
+ flag is used enable debugging. This also inhibits mailing the reports.
+ Instead, they are sent to
+ .IR stderr .
++.\" **
++.\" **
+ .LP
+ The
+ .B -f
+ flag is used to set the ethernet/ip address database filename.
+ The default is
+ .IR arp.dat .
++.\" **
++.\" **
+ .LP
+ Note that an empty
+ .I arp.dat
+Index: arpwatch/arpsnmp.c
+diff -u arpwatch/arpsnmp.c:1.1.1.2 arpwatch/arpsnmp.c:1.1.1.1.2.2
+--- arpwatch/arpsnmp.c:1.1.1.2 Tue Aug 10 10:53:34 2004
++++ arpwatch/arpsnmp.c Tue Aug 10 11:14:13 2004
+@@ -78,6 +78,10 @@
+ register char *cp;
+ register int op, i;
+ char errbuf[256];
++ char options[] =
++ "d"
++ "f:"
++ ;
+
+ if ((cp = strrchr(argv[0], '/')) != NULL)
+ prog = cp + 1;
+@@ -90,7 +94,7 @@
+ }
+
+ opterr = 0;
+- while ((op = getopt(argc, argv, "df:")) != EOF)
++ while ((op = getopt(argc, argv, options)) != EOF)
+ switch (op) {
+
+ case 'd':
+@@ -182,9 +186,14 @@
+ usage(void)
+ {
+ extern char version[];
++ char usage[] =
++ "[-d] "
++ "[-f datafile] "
++ "file [...]\n"
++ ;
+
+ (void)fprintf(stderr, "Version %s\n", version);
+ (void)fprintf(stderr,
+- "usage: %s [-d] [-f datafile] file [...]\n", prog);
++ "usage: %s %s", prog, usage);
+ exit(1);
+ }
+Index: arpwatch/arpwatch.8
+diff -u arpwatch/arpwatch.8:1.1.1.1 arpwatch/arpwatch.8:1.1.1.1.2.2
+--- arpwatch/arpwatch.8:1.1.1.1 Tue Apr 17 13:31:36 2001
++++ arpwatch/arpwatch.8 Thu Aug 12 22:31:09 2004
+@@ -26,12 +26,24 @@
+ .SH SYNOPSIS
+ .na
+ .B arpwatch
++.\" **
++.\" **
+ [
+ .B -dN
+-] [
++]
++.\" **
++.\" **
++.br
++.ti +8
++[
+ .B -f
+ .I datafile
+-] [
++]
++.\" **
++.\" **
++.br
++.ti +8
++[
+ .B -i
+ .I interface
+ ]
+@@ -40,10 +52,17 @@
+ [
+ .B -n
+ .IR net [/ width
+-]] [
++]]
++.\" **
++.\" **
++.br
++.ti +8
++[
+ .B -r
+ .I file
+ ]
++.\" **
++.\" **
+ .ad
+ .SH DESCRIPTION
+ .B Arpwatch
+@@ -53,22 +72,30 @@
+ uses
+ .BR pcap (3)
+ to listen for arp packets on a local ethernet interface.
++.\" **
++.\" **
+ .LP
+ The
+ .B -d
+ flag is used enable debugging. This also inhibits forking into the
+ background and emailing the reports. Instead, they are sent to
+ .IR stderr .
++.\" **
++.\" **
+ .LP
+ The
+ .B -f
+ flag is used to set the ethernet/ip address database filename.
+ The default is
+ .IR arp.dat .
++.\" **
++.\" **
+ .LP
+ The
+ .B -i
+ flag is used to override the default interface.
++.\" **
++.\" **
+ .LP
+ The
+ .B -n
+@@ -77,10 +104,14 @@
+ on the same wire. If the optional
+ .I width
+ is not specified, the default netmask for the network's class is used.
++.\" **
++.\" **
+ .LP
+ The
+ .B -N
+ flag disables reporting any bogons.
++.\" **
++.\" **
+ .LP
+ The
+ .B -r
+@@ -93,11 +124,15 @@
+ of reading from the network. In this case,
+ .B arpwatch
+ does not fork.
++.\" **
++.\" **
+ .LP
+ Note that an empty
+ .I arp.dat
+ file must be created before the first time you run
+ .BR arpwatch .
++.\" **
++.\" **
+ .LP
+ .SH "REPORT MESSAGES"
+ Here's a quick list of the report messages generated by
+Index: arpwatch/arpwatch.c
+diff -u arpwatch/arpwatch.c:1.1.1.1 arpwatch/arpwatch.c:1.1.1.1.2.5
+--- arpwatch/arpwatch.c:1.1.1.1 Tue Apr 17 13:31:36 2001
++++ arpwatch/arpwatch.c Sat Aug 14 02:33:07 2004
+@@ -153,6 +153,26 @@
+ register char *interface, *rfilename;
+ struct bpf_program code;
+ char errbuf[PCAP_ERRBUF_SIZE];
++ char options[] =
++ "d"
++ /**/
++ /**/
++ "f:"
++ /**/
++ /**/
++ "i:"
++ /**/
++ /**/
++ "n:"
++ /**/
++ /**/
++ "N"
++ /**/
++ /**/
++ "r:"
++ /**/
++ /**/
++ ;
+
+ if (argv[0] == NULL)
+ prog = "arpwatch";
+@@ -170,7 +190,7 @@
+ interface = NULL;
+ rfilename = NULL;
+ pd = NULL;
+- while ((op = getopt(argc, argv, "df:i:n:Nr:")) != EOF)
++ while ((op = getopt(argc, argv, options)) != EOF)
+ switch (op) {
+
+ case 'd':
+@@ -201,7 +221,8 @@
+ case 'r':
+ rfilename = optarg;
+ break;
+-
++ /**/
++ /**/
+ default:
+ usage();
+ }
+@@ -748,9 +769,26 @@
+ usage(void)
+ {
+ extern char version[];
++ char usage[] =
++ "[-dN] "
++ /**/
++ /**/
++ "[-f datafile] "
++ /**/
++ /**/
++ "[-i interface] "
++ /**/
++ /**/
++ "[-n net[/width]] "
++ /**/
++ /**/
++ "[-r file] "
++ /**/
++ /**/
++ "\n"
++ ;
+
+ (void)fprintf(stderr, "Version %s\n", version);
+- (void)fprintf(stderr, "usage: %s [-dN] [-f datafile] [-i interface]"
+- " [-n net[/width]] [-r file]\n", prog);
++ (void)fprintf(stderr, "usage: %s %s", prog, usage);
+ exit(1);
+ }
+Index: arpwatch/util.c
+diff -u arpwatch/util.c:1.1.1.2 arpwatch/util.c:1.1.1.1.2.2
+--- arpwatch/util.c:1.1.1.2 Tue Aug 10 10:53:34 2004
++++ arpwatch/util.c Fri Aug 13 00:06:49 2004
+@@ -61,6 +61,8 @@
+
+ int debug = 0;
+ int initializing = 1; /* true if initializing */
++/**/
++/**/
+
+ /* syslog() helper routine */
+ void
+Index: arpwatch/util.h
+diff -u arpwatch/util.h:1.1.1.1 arpwatch/util.h:1.1.1.1.2.1
+--- arpwatch/util.h:1.1.1.1 Tue Apr 17 13:31:37 2001
++++ arpwatch/util.h Fri Aug 13 00:06:49 2004
+@@ -17,3 +17,5 @@
+
+ extern int debug;
+ extern int initializing;
++/**/
++/**/
--- /dev/null
+Index: arpwatch/arpsnmp.8
+diff -u arpwatch/arpsnmp.8:1.1.1.1.2.1 arpwatch/arpsnmp.8:1.1.1.1.4.4
+--- arpwatch/arpsnmp.8:1.1.1.1.2.1 Thu Aug 12 22:16:18 2004
++++ arpwatch/arpsnmp.8 Thu Aug 12 22:23:48 2004
+@@ -40,6 +40,14 @@
+ .\" **
+ .br
+ .ti +8
++[
++.B -s
++.I sendmail_path
++]
++.\" **
++.\" **
++.br
++.ti +8
+ .I file
+ [
+ .I ...
+@@ -70,6 +78,15 @@
+ .\" **
+ .\" **
+ .LP
++(Debian) The
++.B -s
++flag is used to specify the path to the sendmail program.
++Any program that takes the option -odi and then text from stdin
++can be substituted. This is useful for redirecting reports
++to log files instead of mail.
++.\" **
++.\" **
++.LP
+ Note that an empty
+ .I arp.dat
+ file must be created before the first time you run
+Index: arpwatch/arpsnmp.c
+diff -u arpwatch/arpsnmp.c:1.1.1.1.2.2 arpwatch/arpsnmp.c:1.1.1.1.2.1.2.2
+--- arpwatch/arpsnmp.c:1.1.1.1.2.2 Tue Aug 10 11:14:13 2004
++++ arpwatch/arpsnmp.c Tue Aug 10 11:16:17 2004
+@@ -67,6 +67,7 @@
+ __dead void usage(void) __attribute__((volatile));
+
+ char *prog;
++char *path_sendmail = PATH_SENDMAIL;
+
+ extern int optind;
+ extern int opterr;
+@@ -81,6 +82,7 @@
+ char options[] =
+ "d"
+ "f:"
++ "s:"
+ ;
+
+ if ((cp = strrchr(argv[0], '/')) != NULL)
+@@ -109,6 +111,10 @@
+ arpfile = optarg;
+ break;
+
++ case 's':
++ path_sendmail = optarg;
++ break;
++
+ default:
+ usage();
+ }
+@@ -189,6 +195,7 @@
+ char usage[] =
+ "[-d] "
+ "[-f datafile] "
++ "[-s sendmail_path] "
+ "file [...]\n"
+ ;
+
+Index: arpwatch/arpwatch.8
+diff -u arpwatch/arpwatch.8:1.1.1.1.2.2 arpwatch/arpwatch.8:1.1.1.1.4.5
+--- arpwatch/arpwatch.8:1.1.1.1.2.2 Thu Aug 12 22:31:09 2004
++++ arpwatch/arpwatch.8 Thu Aug 12 22:35:07 2004
+@@ -63,6 +63,14 @@
+ ]
+ .\" **
+ .\" **
++.br
++.ti +8
++[
++.B -s
++.I sendmail_path
++]
++.\" **
++.\" **
+ .ad
+ .SH DESCRIPTION
+ .B Arpwatch
+@@ -127,6 +135,15 @@
+ .\" **
+ .\" **
+ .LP
++(Debian) The
++.B -s
++flag is used to specify the path to the sendmail program.
++Any program that takes the option -odi and then text from stdin
++can be substituted. This is useful for redirecting reports
++to log files instead of mail.
++.\" **
++.\" **
++.LP
+ Note that an empty
+ .I arp.dat
+ file must be created before the first time you run
+Index: arpwatch/arpwatch.c
+diff -u arpwatch/arpwatch.c:1.1.1.1.2.5 arpwatch/arpwatch.c:1.1.1.1.2.1.2.3
+--- arpwatch/arpwatch.c:1.1.1.1.2.5 Sat Aug 14 02:33:07 2004
++++ arpwatch/arpwatch.c Fri Aug 13 00:12:22 2004
+@@ -106,6 +106,7 @@
+ #endif
+
+ char *prog;
++char *path_sendmail = PATH_SENDMAIL;
+
+ int can_checkpoint;
+ int swapped;
+@@ -172,6 +173,9 @@
+ "r:"
+ /**/
+ /**/
++ "s:"
++ /**/
++ /**/
+ ;
+
+ if (argv[0] == NULL)
+@@ -223,6 +227,11 @@
+ break;
+ /**/
+ /**/
++ case 's':
++ path_sendmail = optarg;
++ break;
++ /**/
++ /**/
+ default:
+ usage();
+ }
+@@ -785,6 +794,9 @@
+ "[-r file] "
+ /**/
+ /**/
++ "[-s sendmail_path] "
++ /**/
++ /**/
+ "\n"
+ ;
+
+Index: arpwatch/report.c
+diff -u arpwatch/report.c:1.1.1.1 arpwatch/report.c:1.1.1.1.4.1
+--- arpwatch/report.c:1.1.1.1 Tue Apr 17 13:31:37 2001
++++ arpwatch/report.c Tue Apr 17 13:49:16 2001
+@@ -235,6 +235,7 @@
+ report(register char *title, register u_int32_t a, register u_char *e1,
+ register u_char *e2, register time_t *t1p, register time_t *t2p)
+ {
++ extern char *path_sendmail;
+ register char *cp, *hn;
+ register int fd, pid;
+ register FILE *f;
+@@ -242,7 +243,7 @@
+ char *fmt = "%20s: %s\n";
+ char *watcher = WATCHER;
+ char *watchee = WATCHEE;
+- char *sendmail = PATH_SENDMAIL;
++ char *sendmail = path_sendmail;
+ char *unknown = "<unknown>";
+ char buf[132];
+ static int init = 0;
--- /dev/null
+Index: arpwatch/arpwatch.8
+diff -u arpwatch/arpwatch.8:1.1.1.1.2.2 arpwatch/arpwatch.8:1.1.1.1.6.4
+--- arpwatch/arpwatch.8:1.1.1.1.2.2 Thu Aug 12 22:31:09 2004
++++ arpwatch/arpwatch.8 Thu Aug 12 22:30:19 2004
+@@ -63,6 +63,13 @@
+ ]
+ .\" **
+ .\" **
++.br
++.ti +8
++[
++.B -p
++]
++.\" **
++.\" **
+ .ad
+ .SH DESCRIPTION
+ .B Arpwatch
+@@ -127,6 +134,17 @@
+ .\" **
+ .\" **
+ .LP
++(Debian) The
++.B -p
++flag disables promiscuous operation. ARP broadcasts get through hubs without
++having the interface in promiscuous mode, while saving considerable resources
++that would be wasted on processing gigabytes of non-broadcast traffic. OTOH,
++setting promiscuous mode does not mean getting 100% traffic that would concern
++.B arpwatch .
++YMMV.
++.\" **
++.\" **
++.LP
+ Note that an empty
+ .I arp.dat
+ file must be created before the first time you run
+Index: arpwatch/arpwatch.c
+diff -u arpwatch/arpwatch.c:1.1.1.1.2.5 arpwatch/arpwatch.c:1.1.1.1.2.1.4.3
+--- arpwatch/arpwatch.c:1.1.1.1.2.5 Sat Aug 14 02:33:07 2004
++++ arpwatch/arpwatch.c Fri Aug 13 00:14:41 2004
+@@ -172,6 +172,9 @@
+ "r:"
+ /**/
+ /**/
++ "p"
++ /**/
++ /**/
+ ;
+
+ if (argv[0] == NULL)
+@@ -223,6 +226,11 @@
+ break;
+ /**/
+ /**/
++ case 'p':
++ ++nopromisc;
++ break;
++ /**/
++ /**/
+ default:
+ usage();
+ }
+@@ -290,7 +298,7 @@
+ snaplen = max(sizeof(struct ether_header),
+ sizeof(struct fddi_header)) + sizeof(struct ether_arp);
+ timeout = 1000;
+- pd = pcap_open_live(interface, snaplen, 1, timeout, errbuf);
++ pd = pcap_open_live(interface, snaplen, !nopromisc, timeout, errbuf);
+ if (pd == NULL) {
+ syslog(LOG_ERR, "pcap open %s: %s", interface, errbuf);
+ exit(1);
+@@ -785,6 +793,9 @@
+ "[-r file] "
+ /**/
+ /**/
++ "[-p] "
++ /**/
++ /**/
+ "\n"
+ ;
+
+Index: arpwatch/util.c
+diff -u arpwatch/util.c:1.1.1.1.2.2 arpwatch/util.c:1.1.1.1.6.3
+--- arpwatch/util.c:1.1.1.1.2.2 Fri Aug 13 00:06:49 2004
++++ arpwatch/util.c Fri Aug 13 00:14:41 2004
+@@ -63,6 +63,9 @@
+ int initializing = 1; /* true if initializing */
+ /**/
+ /**/
++int nopromisc = 0; /* don't activate promisc mode */
++/**/
++/**/
+
+ /* syslog() helper routine */
+ void
+Index: arpwatch/util.h
+diff -u arpwatch/util.h:1.1.1.1.2.1 arpwatch/util.h:1.1.1.1.6.2
+--- arpwatch/util.h:1.1.1.1.2.1 Fri Aug 13 00:06:49 2004
++++ arpwatch/util.h Fri Aug 13 00:14:41 2004
+@@ -19,3 +19,6 @@
+ extern int initializing;
+ /**/
+ /**/
++extern int nopromisc;
++/**/
++/**/
--- /dev/null
+Index: arpwatch/arpsnmp.c
+diff -u arpwatch/arpsnmp.c:1.1.1.1.2.2 arpwatch/arpsnmp.c:1.1.1.1.2.1.6.2
+--- arpwatch/arpsnmp.c:1.1.1.1.2.2 Tue Aug 10 11:14:13 2004
++++ arpwatch/arpsnmp.c Fri Aug 13 02:17:33 2004
+@@ -63,7 +63,7 @@
+ /* Forwards */
+ int main(int, char **);
+ int readsnmp(char *);
+-int snmp_add(u_int32_t, u_char *, time_t, char *);
++int snmp_add(u_int32_t, u_char *, time_t, char *, char *);
+ __dead void usage(void) __attribute__((volatile));
+
+ char *prog;
+@@ -143,22 +143,24 @@
+ static time_t now;
+
+ int
+-snmp_add(register u_int32_t a, register u_char *e, time_t t, register char *h)
++snmp_add(register u_int32_t a, register u_char *e, time_t t, register char *h,
++ char *interface)
+ {
+ /* Watch for ethernet broadcast */
+ if (MEMCMP(e, zero, 6) == 0 || MEMCMP(e, allones, 6) == 0) {
+- dosyslog(LOG_INFO, "ethernet broadcast", a, e, NULL);
++ dosyslog(LOG_INFO, "ethernet broadcast", a, e, NULL,
++ interface);
+ return (1);
+ }
+
+ /* Watch for some ip broadcast addresses */
+ if (a == 0 || a == 1) {
+- dosyslog(LOG_INFO, "ip broadcast", a, e, NULL);
++ dosyslog(LOG_INFO, "ip broadcast", a, e, NULL, interface);
+ return (1);
+ }
+
+ /* Use current time (although it would be nice to subtract idle time) */
+- return (ent_add(a, e, now, h));
++ return (ent_add(a, e, now, h, interface));
+ }
+
+ /* Process an snmp file */
+Index: arpwatch/arpwatch.8
+diff -u arpwatch/arpwatch.8:1.1.1.1.2.2 arpwatch/arpwatch.8:1.1.1.1.8.5
+--- arpwatch/arpwatch.8:1.1.1.1.2.2 Thu Aug 12 22:31:09 2004
++++ arpwatch/arpwatch.8 Fri Aug 13 01:54:24 2004
+@@ -63,6 +63,13 @@
+ ]
+ .\" **
+ .\" **
++.br
++.ti +8
++[
++.B -a
++]
++.\" **
++.\" **
+ .ad
+ .SH DESCRIPTION
+ .B Arpwatch
+@@ -127,6 +134,20 @@
+ .\" **
+ .\" **
+ .LP
++(Debian)
++.B -a
++By default,
++.B arpwatch
++reports bogons (unless
++.B -N
++is given) for IP addresses that are in the same subnet than the
++first IP address of the default interface. If this option is
++specified,
++.B arpwatch
++will report bogons about every IP addresses.
++.\" **
++.\" **
++.LP
+ Note that an empty
+ .I arp.dat
+ file must be created before the first time you run
+Index: arpwatch/arpwatch.c
+diff -u arpwatch/arpwatch.c:1.1.1.1.2.5 arpwatch/arpwatch.c:1.1.1.1.2.1.6.11
+--- arpwatch/arpwatch.c:1.1.1.1.2.5 Sat Aug 14 02:33:07 2004
++++ arpwatch/arpwatch.c Sat Aug 14 02:34:27 2004
+@@ -141,6 +141,8 @@
+ int sanity_fddi(struct fddi_header *, struct ether_arp *, int);
+ __dead void usage(void) __attribute__((volatile));
+
++static char *interface;
++
+ int
+ main(int argc, char **argv)
+ {
+@@ -150,7 +152,7 @@
+ register int fd;
+ #endif
+ register pcap_t *pd;
+- register char *interface, *rfilename;
++ register char *rfilename;
+ struct bpf_program code;
+ char errbuf[PCAP_ERRBUF_SIZE];
+ char options[] =
+@@ -172,6 +174,9 @@
+ "r:"
+ /**/
+ /**/
++ "a"
++ /**/
++ /**/
+ ;
+
+ if (argv[0] == NULL)
+@@ -193,6 +198,10 @@
+ while ((op = getopt(argc, argv, options)) != EOF)
+ switch (op) {
+
++ case 'a':
++ ++allsubnets;
++ break;
++
+ case 'd':
+ ++debug;
+ #ifndef DEBUG
+@@ -401,29 +410,31 @@
+
+ /* Watch for bogons */
+ if (isbogon(sia)) {
+- dosyslog(LOG_INFO, "bogon", sia, sea, sha);
+- return;
++ dosyslog(LOG_INFO, "bogon", sia, sea, sha, interface);
++ if (!allsubnets) return;
+ }
+
+ /* Watch for ethernet broadcast */
+ if (MEMCMP(sea, zero, 6) == 0 || MEMCMP(sea, allones, 6) == 0 ||
+ MEMCMP(sha, zero, 6) == 0 || MEMCMP(sha, allones, 6) == 0) {
+- dosyslog(LOG_INFO, "ethernet broadcast", sia, sea, sha);
++ dosyslog(LOG_INFO, "ethernet broadcast", sia, sea, sha,
++ interface);
+ return;
+ }
+
+ /* Double check ethernet addresses */
+ if (MEMCMP(sea, sha, 6) != 0) {
+- dosyslog(LOG_INFO, "ethernet mismatch", sia, sea, sha);
++ dosyslog(LOG_INFO, "ethernet mismatch", sia, sea, sha,
++ interface);
+ return;
+ }
+
+ /* Got a live one */
+ t = h->ts.tv_sec;
+ can_checkpoint = 0;
+- if (!ent_add(sia, sea, t, NULL))
+- syslog(LOG_ERR, "ent_add(%s, %s, %ld) failed",
+- intoa(sia), e2str(sea), t);
++ if (!ent_add(sia, sea, t, NULL, interface))
++ syslog(LOG_ERR, "ent_add(%s, %s, %ld, %s) failed",
++ intoa(sia), e2str(sea), t, interface);
+ can_checkpoint = 1;
+ }
+
+@@ -550,29 +561,31 @@
+
+ /* Watch for bogons */
+ if (isbogon(sia)) {
+- dosyslog(LOG_INFO, "bogon", sia, sea, sha);
+- return;
++ dosyslog(LOG_INFO, "bogon", sia, sea, sha, interface);
++ if (!allsubnets) return;
+ }
+
+ /* Watch for ethernet broadcast */
+ if (MEMCMP(sea, zero, 6) == 0 || MEMCMP(sea, allones, 6) == 0 ||
+ MEMCMP(sha, zero, 6) == 0 || MEMCMP(sha, allones, 6) == 0) {
+- dosyslog(LOG_INFO, "ethernet broadcast", sia, sea, sha);
++ dosyslog(LOG_INFO, "ethernet broadcast", sia, sea, sha,
++ interface);
+ return;
+ }
+
+ /* Double check ethernet addresses */
+ if (MEMCMP(sea, sha, 6) != 0) {
+- dosyslog(LOG_INFO, "ethernet mismatch", sia, sea, sha);
++ dosyslog(LOG_INFO, "ethernet mismatch", sia, sea, sha,
++ interface);
+ return;
+ }
+
+ /* Got a live one */
+ t = h->ts.tv_sec;
+ can_checkpoint = 0;
+- if (!ent_add(sia, sea, t, NULL))
+- syslog(LOG_ERR, "ent_add(%s, %s, %ld) failed",
+- intoa(sia), e2str(sea), t);
++ if (!ent_add(sia, sea, t, NULL, interface))
++ syslog(LOG_ERR, "ent_add(%s, %s, %ld, %s) failed",
++ intoa(sia), e2str(sea), t, interface);
+ can_checkpoint = 1;
+ }
+
+@@ -785,6 +798,9 @@
+ "[-r file] "
+ /**/
+ /**/
++ "[-a] "
++ /**/
++ /**/
+ "\n"
+ ;
+
+Index: arpwatch/db.c
+diff -u arpwatch/db.c:1.1.1.1 arpwatch/db.c:1.1.1.1.8.1
+--- arpwatch/db.c:1.1.1.1 Tue Apr 17 13:31:36 2001
++++ arpwatch/db.c Fri Aug 13 02:17:33 2004
+@@ -64,6 +64,7 @@
+ u_char e[6]; /* ether address */
+ char h[34]; /* simple hostname */
+ time_t t; /* timestamp */
++ char i[16]; /* interface */
+ };
+
+ /* Address info */
+@@ -80,13 +81,14 @@
+
+ static void alist_alloc(struct ainfo *);
+ int cmpeinfo(const void *, const void *);
+-static struct einfo *elist_alloc(u_int32_t, u_char *, time_t, char *);
++static struct einfo *elist_alloc(u_int32_t, u_char *, time_t, char *, char *);
+ static struct ainfo *ainfo_find(u_int32_t);
+ static void check_hname(struct ainfo *);
+ struct ainfo *newainfo(void);
+
+ int
+-ent_add(register u_int32_t a, register u_char *e, time_t t, register char *h)
++ent_add(register u_int32_t a, register u_char *e, time_t t, register char *h,
++ char *interface)
+ {
+ register struct ainfo *ap;
+ register struct einfo *ep;
+@@ -103,7 +105,8 @@
+ ep = ap->elist[0];
+ if (MEMCMP(e, ep->e, 6) == 0) {
+ if (t - ep->t > NEWACTIVITY_DELTA) {
+- report("new activity", a, e, NULL, &t, &ep->t);
++ report("new activity", a, e, NULL, &t, &ep->t,
++ interface);
+ check_hname(ap);
+ }
+ ep->t = t;
+@@ -114,8 +117,8 @@
+ /* Check for a virgin ainfo record */
+ if (ap->ecount == 0) {
+ ap->ecount = 1;
+- ap->elist[0] = elist_alloc(a, e, t, h);
+- report("new station", a, e, NULL, &t, NULL);
++ ap->elist[0] = elist_alloc(a, e, t, h, interface);
++ report("new station", a, e, NULL, &t, NULL, interface);
+ return (1);
+ }
+
+@@ -133,9 +136,11 @@
+ if (t - t2 < FLIPFLIP_DELTA &&
+ (isdecnet(e) || isdecnet(e2)))
+ dosyslog(LOG_INFO,
+- "suppressed DECnet flip flop", a, e, e2);
++ "suppressed DECnet flip flop", a, e, e2,
++ interface);
+ else
+- report("flip flop", a, e, e2, &t, &t2);
++ report("flip flop", a, e, e2, &t, &t2,
++ interface);
+ ap->elist[1] = ap->elist[0];
+ ap->elist[0] = ep;
+ ep->t = t;
+@@ -151,7 +156,7 @@
+ e2 = ap->elist[0]->e;
+ t2 = ap->elist[0]->t;
+ dosyslog(LOG_NOTICE, "reused old ethernet address",
+- a, e, e2);
++ a, e, e2, interface);
+ /* Shift entries down */
+ len = i * sizeof(ap->elist[0]);
+ BCOPY(&ap->elist[0], &ap->elist[1], len);
+@@ -165,12 +170,12 @@
+ /* New ether address */
+ e2 = ap->elist[0]->e;
+ t2 = ap->elist[0]->t;
+- report("changed ethernet address", a, e, e2, &t, &t2);
++ report("changed ethernet address", a, e, e2, &t, &t2, interface);
+ /* Make room at head of list */
+ alist_alloc(ap);
+ len = ap->ecount * sizeof(ap->elist[0]);
+ BCOPY(&ap->elist[0], &ap->elist[1], len);
+- ap->elist[0] = elist_alloc(a, e, t, h);
++ ap->elist[0] = elist_alloc(a, e, t, h, interface);
+ ++ap->ecount;
+ return (1);
+ }
+@@ -227,7 +232,7 @@
+ for (ap = &ainfo_table[i]; ap != NULL; ap = ap->next)
+ for (j = 0; j < ap->ecount; ++j) {
+ ep = ap->elist[j];
+- (*fn)(ap->a, ep->e, ep->t, ep->h);
++ (*fn)(ap->a, ep->e, ep->t, ep->h, ep->i);
+ ++n;
+ }
+ return (n);
+@@ -259,7 +264,7 @@
+ /* Allocate and initialize a elist struct */
+ static struct einfo *
+ elist_alloc(register u_int32_t a, register u_char *e, register time_t t,
+- register char *h)
++ register char *h, char *interface)
+ {
+ register struct einfo *ep;
+ register u_int size;
+@@ -286,6 +291,8 @@
+ if (h != NULL && !isdigit((int)*h))
+ strcpy(ep->h, h);
+ ep->t = t;
++ if (interface != NULL)
++ strncpy(ep->i, interface, 16);
+ return (ep);
+ }
+
+Index: arpwatch/db.h
+diff -u arpwatch/db.h:1.1.1.1 arpwatch/db.h:1.1.1.1.8.1
+--- arpwatch/db.h:1.1.1.1 Tue Apr 17 13:31:36 2001
++++ arpwatch/db.h Fri Aug 13 02:17:33 2004
+@@ -1,10 +1,10 @@
+ /* @(#) $Header$ (LBL) */
+
+-typedef void (*ent_process)(u_int32_t, u_char *, time_t, char *);
++typedef void (*ent_process)(u_int32_t, u_char *, time_t, char *, char *);
+
+ #ifdef DEBUG
+ void debugdump(void);
+ #endif
+-int ent_add(u_int32_t, u_char *, time_t, char *);
++int ent_add(u_int32_t, u_char *, time_t, char *, char *);
+ int ent_loop(ent_process);
+ void sorteinfo(void);
+Index: arpwatch/file.c
+diff -u arpwatch/file.c:1.1.1.1 arpwatch/file.c:1.1.1.1.8.1
+--- arpwatch/file.c:1.1.1.1 Tue Apr 17 13:31:37 2001
++++ arpwatch/file.c Fri Aug 13 02:17:33 2004
+@@ -69,6 +69,7 @@
+ u_int32_t a;
+ register time_t t;
+ register struct hostent *hp;
++ char *interface;
+ char line[1024];
+ u_char e[6];
+
+@@ -117,6 +118,7 @@
+ if (cp2 == NULL) {
+ t = 0;
+ h = NULL;
++ interface = NULL;
+ } else {
+ t = atoi(cp2);
+ h = strchr(cp2, '\t');
+@@ -126,11 +128,18 @@
+ while (*cp2 != '\n' && *cp2 != '\t' &&
+ *cp2 != '\0')
+ ++cp2;
++ if (*cp2 == '\t') {
++ *cp2++ = '\0';
++ while (*cp2 != '\n' && *cp2 != '\t' &&
++ *cp2 != '\0') ++cp2;
++ } else {
++ interface = NULL;
++ }
+ *cp2 = '\0';
+ }
+ }
+
+- if (!(*fn)(a, e, t, h))
++ if (!(*fn)(a, e, t, h, interface))
+ return(0);
+ }
+
+Index: arpwatch/file.h
+diff -u arpwatch/file.h:1.1.1.1 arpwatch/file.h:1.1.1.1.8.1
+--- arpwatch/file.h:1.1.1.1 Tue Apr 17 13:31:37 2001
++++ arpwatch/file.h Fri Aug 13 02:17:33 2004
+@@ -1,5 +1,5 @@
+ /* @(#) $Header$ (LBL) */
+
+-typedef int (*file_process)(u_int32_t, u_char *, time_t, char *);
++typedef int (*file_process)(u_int32_t, u_char *, time_t, char *, char *);
+
+ int file_loop(FILE *, file_process, const char *);
+Index: arpwatch/report.c
+diff -u arpwatch/report.c:1.1.1.1 arpwatch/report.c:1.1.1.1.8.1
+--- arpwatch/report.c:1.1.1.1 Tue Apr 17 13:31:37 2001
++++ arpwatch/report.c Fri Aug 13 02:17:33 2004
+@@ -233,7 +233,8 @@
+
+ void
+ report(register char *title, register u_int32_t a, register u_char *e1,
+- register u_char *e2, register time_t *t1p, register time_t *t2p)
++ register u_char *e2, register time_t *t1p, register time_t *t2p,
++ char *interface)
+ {
+ register char *cp, *hn;
+ register int fd, pid;
+@@ -253,7 +254,7 @@
+
+ if (debug) {
+ if (debug > 1) {
+- dosyslog(LOG_NOTICE, title, a, e1, e2);
++ dosyslog(LOG_NOTICE, title, a, e1, e2, interface);
+ return;
+ }
+ f = stdout;
+@@ -270,7 +271,7 @@
+ }
+
+ /* Syslog this event too */
+- dosyslog(LOG_NOTICE, title, a, e1, e2);
++ dosyslog(LOG_NOTICE, title, a, e1, e2, interface);
+
+ /* Update child depth */
+ ++cdepth;
+@@ -302,16 +303,19 @@
+
+ (void)fprintf(f, "From: %s\n", watchee);
+ (void)fprintf(f, "To: %s\n", watcher);
++ if (interface == NULL) interface = ""; /* shouldn't happen */
+ hn = gethname(a);
+ if (!isdigit(*hn))
+- (void)fprintf(f, "Subject: %s (%s)\n", title, hn);
++ (void)fprintf(f, "Subject: %s (%s) %s\n", title, hn,
++ interface);
+ else {
+- (void)fprintf(f, "Subject: %s\n", title);
++ (void)fprintf(f, "Subject: %s %s\n", title, interface);
+ hn = unknown;
+ }
+ (void)putc('\n', f);
+ (void)fprintf(f, fmt, "hostname", hn);
+ (void)fprintf(f, fmt, "ip address", intoa(a));
++ (void)fprintf(f, fmt, "interface", interface);
+ (void)fprintf(f, fmt, "ethernet address", e2str(e1));
+ if ((cp = ec_find(e1)) == NULL)
+ cp = unknown;
+Index: arpwatch/report.h
+diff -u arpwatch/report.h:1.1.1.1 arpwatch/report.h:1.1.1.1.8.1
+--- arpwatch/report.h:1.1.1.1 Tue Apr 17 13:31:37 2001
++++ arpwatch/report.h Fri Aug 13 02:17:33 2004
+@@ -1,3 +1,3 @@
+ /* @(#) $Header$ (LBL) */
+
+-void report(char *, u_int32_t, u_char *, u_char *, time_t *, time_t *);
++void report(char *, u_int32_t, u_char *, u_char *, time_t *, time_t *, char *);
+Index: arpwatch/util.c
+diff -u arpwatch/util.c:1.1.1.1.2.2 arpwatch/util.c:1.1.1.1.8.5
+--- arpwatch/util.c:1.1.1.1.2.2 Fri Aug 13 00:06:49 2004
++++ arpwatch/util.c Fri Aug 13 02:17:33 2004
+@@ -63,11 +63,14 @@
+ int initializing = 1; /* true if initializing */
+ /**/
+ /**/
++int allsubnets = 0; /* watch all attached subnets */
++/**/
++/**/
+
+ /* syslog() helper routine */
+ void
+ dosyslog(register int p, register char *s, register u_int32_t a,
+- register u_char *ea, register u_char *ha)
++ register u_char *ea, register u_char *ha, char *interface)
+ {
+ char xbuf[64];
+
+@@ -84,23 +87,21 @@
+ }
+
+ if (debug)
+- fprintf(stderr, "%s: %s %s %s\n", prog, s, intoa(a), xbuf);
++ fprintf(stderr, "%s: %s %s %s %s\n", prog, s, intoa(a),
++ xbuf, interface);
+ else
+- syslog(p, "%s %s %s", s, intoa(a), xbuf);
++ syslog(p, "%s %s %s %s", s, intoa(a), xbuf, interface);
+ }
+
+ static FILE *dumpf;
+
+ void
+ dumpone(register u_int32_t a, register u_char *e, register time_t t,
+- register char *h)
++ register char *h, char *interface)
+ {
+- (void)fprintf(dumpf, "%s\t%s", e2str(e), intoa(a));
+- if (t != 0 || h != NULL)
+- (void)fprintf(dumpf, "\t%u", (u_int32_t)t);
+- if (h != NULL && *h != '\0')
+- (void)fprintf(dumpf, "\t%s", h);
+- (void)putc('\n', dumpf);
++ (void)fprintf(dumpf, "%s\t%s\t%u\t%s\t%s\n", e2str(e), intoa(a),
++ (u_int32_t)t, ((h != NULL)?h:""),
++ ((interface != NULL)?interface:""));
+ }
+
+ int
+Index: arpwatch/util.h
+diff -u arpwatch/util.h:1.1.1.1.2.1 arpwatch/util.h:1.1.1.1.8.4
+--- arpwatch/util.h:1.1.1.1.2.1 Fri Aug 13 00:06:49 2004
++++ arpwatch/util.h Fri Aug 13 02:17:33 2004
+@@ -1,8 +1,8 @@
+ /* @(#) $Header$ (LBL) */
+
+-void dosyslog(int, char *, u_int32_t, u_char *, u_char *);
++void dosyslog(int, char *, u_int32_t, u_char *, u_char *, char *);
+ int dump(void);
+-void dumpone(u_int32_t, u_char *, time_t, char *);
++void dumpone(u_int32_t, u_char *, time_t, char *, char *);
+ int readdata(void);
+ char *savestr(const char *);
+
+@@ -19,3 +19,6 @@
+ extern int initializing;
+ /**/
+ /**/
++extern int allsubnets;
++/**/
++/**/
--- /dev/null
+Index: arpwatch/arpsnmp.8
+diff -u arpwatch/arpsnmp.8:1.1.1.1.2.1 arpwatch/arpsnmp.8:1.1.1.1.12.4
+--- arpwatch/arpsnmp.8:1.1.1.1.2.1 Thu Aug 12 22:16:18 2004
++++ arpwatch/arpsnmp.8 Thu Aug 12 22:50:39 2004
+@@ -40,6 +40,14 @@
+ .\" **
+ .br
+ .ti +8
++[
++.B -m
++.I addr
++]
++.\" **
++.\" **
++.br
++.ti +8
+ .I file
+ [
+ .I ...
+@@ -70,6 +78,15 @@
+ .\" **
+ .\" **
+ .LP
++(Debian) The
++.B -m
++option is used to specify the e-mail address to which reports will be
++sent. By default, reports are sent to
++.I root
++on the local machine.
++.\" **
++.\" **
++.LP
+ Note that an empty
+ .I arp.dat
+ file must be created before the first time you run
+Index: arpwatch/arpsnmp.c
+diff -u arpwatch/arpsnmp.c:1.1.1.1.2.2 arpwatch/arpsnmp.c:1.1.1.1.2.1.8.2
+--- arpwatch/arpsnmp.c:1.1.1.1.2.2 Tue Aug 10 11:14:13 2004
++++ arpwatch/arpsnmp.c Tue Aug 10 11:17:43 2004
+@@ -80,6 +80,7 @@
+ char errbuf[256];
+ char options[] =
+ "d"
++ "m:"
+ "f:"
+ ;
+
+@@ -105,6 +106,10 @@
+ #endif
+ break;
+
++ case 'm':
++ mailaddress = optarg;
++ break;
++
+ case 'f':
+ arpfile = optarg;
+ break;
+@@ -188,6 +193,7 @@
+ extern char version[];
+ char usage[] =
+ "[-d] "
++ "[-m addr ] "
+ "[-f datafile] "
+ "file [...]\n"
+ ;
+Index: arpwatch/arpwatch.8
+diff -u arpwatch/arpwatch.8:1.1.1.1.2.2 arpwatch/arpwatch.8:1.1.1.1.12.4
+--- arpwatch/arpwatch.8:1.1.1.1.2.2 Thu Aug 12 22:31:09 2004
++++ arpwatch/arpwatch.8 Thu Aug 12 22:50:39 2004
+@@ -47,6 +47,8 @@
+ .B -i
+ .I interface
+ ]
++.\" **
++.\" **
+ .br
+ .ti +8
+ [
+@@ -63,6 +65,14 @@
+ ]
+ .\" **
+ .\" **
++.br
++.ti +8
++[
++.B -m
++.I addr
++]
++.\" **
++.\" **
+ .ad
+ .SH DESCRIPTION
+ .B Arpwatch
+@@ -127,6 +137,15 @@
+ .\" **
+ .\" **
+ .LP
++(Debian) The
++.B -m
++option is used to specify the e-mail address to which reports will be
++sent. By default, reports are sent to
++.I root
++on the local machine.
++.\" **
++.\" **
++.LP
+ Note that an empty
+ .I arp.dat
+ file must be created before the first time you run
+Index: arpwatch/arpwatch.c
+diff -u arpwatch/arpwatch.c:1.1.1.1.2.5 arpwatch/arpwatch.c:1.1.1.1.2.1.8.3
+--- arpwatch/arpwatch.c:1.1.1.1.2.5 Sat Aug 14 02:33:07 2004
++++ arpwatch/arpwatch.c Fri Aug 13 00:22:17 2004
+@@ -172,6 +172,9 @@
+ "r:"
+ /**/
+ /**/
++ "m:"
++ /**/
++ /**/
+ ;
+
+ if (argv[0] == NULL)
+@@ -223,6 +226,11 @@
+ break;
+ /**/
+ /**/
++ case 'm':
++ mailaddress = optarg;
++ break;
++ /**/
++ /**/
+ default:
+ usage();
+ }
+@@ -785,6 +793,9 @@
+ "[-r file] "
+ /**/
+ /**/
++ "[-m addr] "
++ /**/
++ /**/
+ "\n"
+ ;
+
+Index: arpwatch/report.c
+diff -u arpwatch/report.c:1.1.1.1 arpwatch/report.c:1.1.1.1.12.1
+--- arpwatch/report.c:1.1.1.1 Tue Apr 17 13:31:37 2001
++++ arpwatch/report.c Tue Apr 17 13:54:38 2001
+@@ -240,7 +240,7 @@
+ register FILE *f;
+ char tempfile[64], cpu[64], os[64];
+ char *fmt = "%20s: %s\n";
+- char *watcher = WATCHER;
++ char *watcher = mailaddress;
+ char *watchee = WATCHEE;
+ char *sendmail = PATH_SENDMAIL;
+ char *unknown = "<unknown>";
+Index: arpwatch/util.c
+diff -u arpwatch/util.c:1.1.1.1.2.2 arpwatch/util.c:1.1.1.1.12.3
+--- arpwatch/util.c:1.1.1.1.2.2 Fri Aug 13 00:06:49 2004
++++ arpwatch/util.c Fri Aug 13 00:22:17 2004
+@@ -50,6 +50,7 @@
+ #include "ec.h"
+ #include "file.h"
+ #include "util.h"
++#include "addresses.h"
+
+ char *arpdir = ARPDIR;
+ char *arpfile = ARPFILE;
+@@ -63,6 +64,9 @@
+ int initializing = 1; /* true if initializing */
+ /**/
+ /**/
++char *mailaddress = WATCHER;
++/**/
++/**/
+
+ /* syslog() helper routine */
+ void
+Index: arpwatch/util.h
+diff -u arpwatch/util.h:1.1.1.1.2.1 arpwatch/util.h:1.1.1.1.12.2
+--- arpwatch/util.h:1.1.1.1.2.1 Fri Aug 13 00:06:49 2004
++++ arpwatch/util.h Fri Aug 13 00:22:17 2004
+@@ -19,3 +19,6 @@
+ extern int initializing;
+ /**/
+ /**/
++extern char *mailaddress;
++/**/
++/**/
--- /dev/null
+Index: arpwatch/arpwatch.8
+diff -u arpwatch/arpwatch.8:1.1.1.1.2.2 arpwatch/arpwatch.8:1.1.1.1.20.3
+--- arpwatch/arpwatch.8:1.1.1.1.2.2 Thu Aug 12 22:31:09 2004
++++ arpwatch/arpwatch.8 Sat Aug 14 02:21:59 2004
+@@ -63,6 +63,20 @@
+ ]
+ .\" **
+ .\" **
++.br
++.ti +8
++[
++.B -u
++.I username
++]
++.br
++.ti +8
++[
++.B -R
++.I seconds
++]
++.\" **
++.\" **
+ .ad
+ .SH DESCRIPTION
+ .B Arpwatch
+@@ -127,6 +141,34 @@
+ .\" **
+ .\" **
+ .LP
++(Debian) The
++.B -u
++flag instructs
++.B arpwatch
++to drop root privileges and change the UID to
++.I username
++and GID to the primary group of
++.I username .
++This is recommended for security reasons, but
++.I username
++has to have write access to the default directory.
++.LP
++(Debian) The
++.B -R
++flag instructs
++.B arpwatch
++to restart in
++.I seconds
++seconds after the interface went down. By default, in such cases
++arpwatch would print an error message and exit. This option is
++ignored if either the
++.B -r
++or
++.B -u
++flags are used.
++.\" **
++.\" **
++.LP
+ Note that an empty
+ .I arp.dat
+ file must be created before the first time you run
+Index: arpwatch/arpwatch.c
+diff -u arpwatch/arpwatch.c:1.1.1.1.2.5 arpwatch/arpwatch.c:1.1.1.1.2.1.10.7
+--- arpwatch/arpwatch.c:1.1.1.1.2.5 Sat Aug 14 02:33:07 2004
++++ arpwatch/arpwatch.c Sat Aug 14 02:36:15 2004
+@@ -62,7 +62,8 @@
+ #include <string.h>
+ #include <syslog.h>
+ #include <unistd.h>
+-
++#include <pwd.h>
++#include <grp.h>
+ #include <pcap.h>
+
+ #include "gnuc.h"
+@@ -141,6 +142,24 @@
+ int sanity_fddi(struct fddi_header *, struct ether_arp *, int);
+ __dead void usage(void) __attribute__((volatile));
+
++void dropprivileges(const char* user)
++{
++ struct passwd* pw;
++ pw = getpwnam( user );
++ if ( pw ) {
++ if ( initgroups(pw->pw_name, 0) != 0 || setgid(pw->pw_gid) != 0 ||
++ setuid(pw->pw_uid) != 0 ) {
++ syslog(LOG_ERR, "Couldn't change to '%.32s' uid=%d gid=%d", user,pw->pw_uid, pw->pw_gid);
++ exit(1);
++ }
++ }
++ else {
++ syslog(LOG_ERR, "Couldn't find user '%.32s' in /etc/passwd", user);
++ exit(1);
++ }
++ syslog(LOG_INFO, "Running as uid=%d gid=%d", getuid(), getgid());
++}
++
+ int
+ main(int argc, char **argv)
+ {
+@@ -153,6 +172,8 @@
+ register char *interface, *rfilename;
+ struct bpf_program code;
+ char errbuf[PCAP_ERRBUF_SIZE];
++ char* username = NULL;
++ int restart = 0;
+ char options[] =
+ "d"
+ /**/
+@@ -172,6 +193,10 @@
+ "r:"
+ /**/
+ /**/
++ "u:"
++ "R:"
++ /**/
++ /**/
+ ;
+
+ if (argv[0] == NULL)
+@@ -223,6 +248,19 @@
+ break;
+ /**/
+ /**/
++ case 'u':
++ if ( optarg ) {
++ username = strdup(optarg);
++ } else {
++ fprintf(stderr, "%s: Need username after -u\n", prog);
++ usage();
++ }
++ break;
++ case 'R':
++ restart = atoi(optarg);
++ break;
++ /**/
++ /**/
+ default:
+ usage();
+ }
+@@ -233,6 +271,8 @@
+ if (rfilename != NULL) {
+ net = 0;
+ netmask = 0;
++ interface = "(from file)";
++ restart = 0;
+ } else {
+ /* Determine interface if not specified */
+ if (interface == NULL &&
+@@ -279,6 +319,7 @@
+ syslog(LOG_ERR, "(using current working directory)");
+ }
+
++label_restart:
+ if (rfilename != NULL) {
+ pd = pcap_open_offline(rfilename, errbuf);
+ if (pd == NULL) {
+@@ -293,19 +334,29 @@
+ pd = pcap_open_live(interface, snaplen, 1, timeout, errbuf);
+ if (pd == NULL) {
+ syslog(LOG_ERR, "pcap open %s: %s", interface, errbuf);
+- exit(1);
++ if (restart) {
++ syslog(LOG_ERR, "restart in %d secs", restart);
++ } else {
++ exit(1);
++ }
++ sleep(restart);
++ goto label_restart;
+ }
+ #ifdef WORDS_BIGENDIAN
+ swapped = 1;
+ #endif
+ }
+
++ if ( username && !restart ) {
++ dropprivileges( username );
++ } else {
+ /*
+ * Revert to non-privileged user after opening sockets
+ * (not needed on most systems).
+ */
+- setgid(getgid());
+- setuid(getuid());
++ setgid(getgid());
++ setuid(getuid());
++ }
+
+ /* Must be ethernet or fddi */
+ linktype = pcap_datalink(pd);
+@@ -785,6 +836,10 @@
+ "[-r file] "
+ /**/
+ /**/
++ "[-u username] "
++ "[-R seconds ] "
++ /**/
++ /**/
+ "\n"
+ ;
+
--- /dev/null
+Index: arpwatch/arpwatch.8
+diff -u arpwatch/arpwatch.8:1.1.1.1.2.2 arpwatch/arpwatch.8:1.1.1.1.22.3
+--- arpwatch/arpwatch.8:1.1.1.1.2.2 Thu Aug 12 22:31:09 2004
++++ arpwatch/arpwatch.8 Fri Aug 13 00:02:30 2004
+@@ -63,6 +63,13 @@
+ ]
+ .\" **
+ .\" **
++.br
++.ti +8
++[
++.B -Q
++]
++.\" **
++.\" **
+ .ad
+ .SH DESCRIPTION
+ .B Arpwatch
+@@ -127,6 +134,12 @@
+ .\" **
+ .\" **
+ .LP
++(Debian) The
++.B -Q
++flags prevents arpwatch from sending reports by mail.
++.\" **
++.\" **
++.LP
+ Note that an empty
+ .I arp.dat
+ file must be created before the first time you run
+Index: arpwatch/arpwatch.c
+diff -u arpwatch/arpwatch.c:1.1.1.1.2.5 arpwatch/arpwatch.c:1.1.1.1.2.1.12.3
+--- arpwatch/arpwatch.c:1.1.1.1.2.5 Sat Aug 14 02:33:07 2004
++++ arpwatch/arpwatch.c Fri Aug 13 00:09:54 2004
+@@ -172,6 +172,9 @@
+ "r:"
+ /**/
+ /**/
++ "Q"
++ /**/
++ /**/
+ ;
+
+ if (argv[0] == NULL)
+@@ -223,6 +226,12 @@
+ break;
+ /**/
+ /**/
++ case 'Q':
++ ++quiet;
++ break;
++
++ /**/
++ /**/
+ default:
+ usage();
+ }
+@@ -785,6 +794,9 @@
+ "[-r file] "
+ /**/
+ /**/
++ "[-Q] "
++ /**/
++ /**/
+ "\n"
+ ;
+
+Index: arpwatch/report.c
+diff -u arpwatch/report.c:1.1.1.1 arpwatch/report.c:1.1.1.1.22.1
+--- arpwatch/report.c:1.1.1.1 Tue Apr 17 13:31:37 2001
++++ arpwatch/report.c Wed Aug 11 23:10:28 2004
+@@ -272,6 +272,10 @@
+ /* Syslog this event too */
+ dosyslog(LOG_NOTICE, title, a, e1, e2);
+
++ /* return if watcher is an empty string */
++ if ( quiet )
++ return;
++
+ /* Update child depth */
+ ++cdepth;
+
+Index: arpwatch/util.c
+diff -u arpwatch/util.c:1.1.1.1.2.2 arpwatch/util.c:1.1.1.1.2.1.4.2
+--- arpwatch/util.c:1.1.1.1.2.2 Fri Aug 13 00:06:49 2004
++++ arpwatch/util.c Fri Aug 13 00:09:54 2004
+@@ -63,6 +63,9 @@
+ int initializing = 1; /* true if initializing */
+ /**/
+ /**/
++int quiet = 0; /* send mail by default */
++/**/
++/**/
+
+ /* syslog() helper routine */
+ void
+Index: arpwatch/util.h
+diff -u arpwatch/util.h:1.1.1.1.2.1 arpwatch/util.h:1.1.1.1.22.2
+--- arpwatch/util.h:1.1.1.1.2.1 Fri Aug 13 00:06:49 2004
++++ arpwatch/util.h Fri Aug 13 00:09:54 2004
+@@ -19,3 +19,6 @@
+ extern int initializing;
+ /**/
+ /**/
++extern int quiet;
++/**/
++/**/
--- /dev/null
+Index: arpwatch/arpwatch.8
+diff -u arpwatch/arpwatch.8:1.1.1.1.2.2 arpwatch/arpwatch.8:1.1.1.1.24.2
+--- arpwatch/arpwatch.8:1.1.1.1.2.2 Thu Aug 12 22:31:09 2004
++++ arpwatch/arpwatch.8 Thu Aug 12 23:44:44 2004
+@@ -63,6 +63,14 @@
+ ]
+ .\" **
+ .\" **
++.br
++.ti +8
++[
++.B -z
++.I ignorenet/ignoremask
++]
++.\" **
++.\" **
+ .ad
+ .SH DESCRIPTION
+ .B Arpwatch
+@@ -127,6 +135,13 @@
+ .\" **
+ .\" **
+ .LP
++(Debian) The
++.B -z
++flag is used to set a range of ip addresses to ignore (such as a DHCP
++range). Netmask is specified as 255.255.128.0.
++.\" **
++.\" **
++.LP
+ Note that an empty
+ .I arp.dat
+ file must be created before the first time you run
+Index: arpwatch/arpwatch.c
+diff -u arpwatch/arpwatch.c:1.1.1.1.2.5 arpwatch/arpwatch.c:1.1.1.1.2.1.14.6
+--- arpwatch/arpwatch.c:1.1.1.1.2.5 Sat Aug 14 02:33:07 2004
++++ arpwatch/arpwatch.c Fri Aug 13 02:40:20 2004
+@@ -123,6 +123,9 @@
+ static int nets_ind;
+ static int nets_size;
+
++static struct in_addr ignore_net;
++static struct in_addr ignore_netmask;
++
+ extern int optind;
+ extern int opterr;
+ extern char *optarg;
+@@ -172,7 +175,11 @@
+ "r:"
+ /**/
+ /**/
++ "z:"
++ /**/
++ /**/
+ ;
++ char *tmpptr;
+
+ if (argv[0] == NULL)
+ prog = "arpwatch";
+@@ -190,6 +197,9 @@
+ interface = NULL;
+ rfilename = NULL;
+ pd = NULL;
++
++ inet_aton("0.0.0.0", &ignore_netmask);
++ inet_aton("255.255.255.255", &ignore_netmask);
+ while ((op = getopt(argc, argv, options)) != EOF)
+ switch (op) {
+
+@@ -223,6 +233,14 @@
+ break;
+ /**/
+ /**/
++ case 'z':
++ tmpptr = strtok(optarg, "/");
++ inet_aton(tmpptr, &ignore_net);
++ tmpptr = strtok(NULL, "/");
++ inet_aton(tmpptr, &ignore_netmask);
++ break;
++ /**/
++ /**/
+ default:
+ usage();
+ }
+@@ -418,7 +436,15 @@
+ return;
+ }
+
++ /* Ignores the specified netmask/metwork */
++ if ((sia & ignore_netmask.s_addr) == ignore_net.s_addr) {
++ if (debug) {
++ dosyslog(LOG_INFO, "ignored", sia, sea, sha, interface);
++ }
++ return;
++ }
+ /* Got a live one */
++
+ t = h->ts.tv_sec;
+ can_checkpoint = 0;
+ if (!ent_add(sia, sea, t, NULL))
+@@ -785,6 +811,9 @@
+ "[-r file] "
+ /**/
+ /**/
++ "[-z ignorenet/ignoremask] "
++ /**/
++ /**/
+ "\n"
+ ;
+
--- /dev/null
+Index: arpwatch/arp2ethers
+diff -u arpwatch/arp2ethers:1.1.1.2 arpwatch/arp2ethers:1.1.1.1.14.4
+--- arpwatch/arp2ethers:1.1.1.2 Tue Aug 10 10:53:34 2004
++++ arpwatch/arp2ethers Fri Aug 13 00:34:55 2004
+@@ -12,12 +12,84 @@
+ # - append "-old", "-old1", etc. as necessary
+ # - sort
+ #
++# 1999-04-12 KELEMEN Peter <fuji@debian.org>
++# Use sh(1) instead of csh(1).
++#
++# 2000-03-21 Erik Warmelink <erik@selwerd.nl>
++# Use next instead of continue in included p.awk.
++#
++# 2004-06-26 Javier Fernandez-Sanguino <jfs@debian.org>
++# Use a default file or the one provided in the command line
+
+-sort +2rn arp.dat | \
++FILE=/var/lib/arpwatch/arp.dat
++[ -n "$1" ] && FILE=$1
++[ -r "$FILE" ] || {
++ echo "Cannot read file $FILE"
++ exit 1
++}
++
++sort +2rn $FILE | \
+ awk 'NF == 4 { print }' | \
+- awk -f p.awk | \
++# 1999-04-12 KELEMEN Peter <fuji@debian.org>
++# awk -f p.awk | \
++ awk '
++# Only print the first ethernet address seen
++
++{
++ e = $1
++ if (seen[e])
++ next
++ seen[e] = 1
++ print $0
++}
++ ' | \
+ egrep -v '\.[0-9][0-9]*$' | \
+ sed -e 's/ .* / /' | \
+- awk -f d.awk | \
+- awk -f e.awk | \
++# 1999-04-12 KELEMEN Peter <fuji@debian.org>
++# awk -f d.awk | \
++ awk '
++# DECnet hacking
++
++BEGIN {
++ n = 0
++ sdecnet = "aa:0:4:"
++ ldecnet = length(sdecnet)
++}
++
++{
++ ++n
++ e[n] = $1
++ h[n] = $2
++ if (sdecnet == substr($1, 1, ldecnet))
++ decnet[$2] = 1
++}
++
++END {
++ for (i = 1; i <= n; ++i) {
++ if (decnet[h[i]] && sdecnet != substr(e[i], 1, ldecnet))
++ h[i] = h[i] "-ip"
++ print e[i] "\t" h[i]
++ }
++}
++ ' | \
++# 1999-04-12 KELEMEN Peter <fuji@debian.org>
++# awk -f e.awk | \
++ awk '
++# Add -old suffix to ethers file, as required. Assumed sorted input
++
++{
++ if (!seen[$2]) {
++ seen[$2] = 1
++ print
++ next
++ }
++ h = $2 "-old"
++ s = h
++ for (n = 1; seen[h]; ++n)
++ h = s n
++ seen[h] = 1
++ print $1 "\t" h
++ next
++}
++ ' | \
+ sort
--- /dev/null
+Index: arpwatch/arpfetch
+diff -u arpwatch/arpfetch:1.1.1.1 arpwatch/arpfetch:1.1.1.1.18.1
+--- arpwatch/arpfetch:1.1.1.1 Tue Apr 17 13:31:36 2001
++++ arpwatch/arpfetch Wed Aug 11 21:54:18 2004
+@@ -1,5 +1,4 @@
+ #!/bin/sh
+-# @(#) $Id$ (LBL)
+ #
+ # arpfetch - collect arp data from a cisco using snmpwalk
+ #
+@@ -10,8 +9,8 @@
+ #
+ host=$1
+ cname=$2
+-temp=/tmp/arpfetch.temp.$$
+-errs=/tmp/arpfetch.errs.$$
++temp=`tempfile -p arpft -s .temp.tmp`
++errs=`tempfile -p arpft -s .errs.tmp`
+ what="ip.ipnettomediatable.ipnettomediaentry.ipnettomediaphysaddress"
+ #
+ # Get the data
+Index: arpwatch/bihourly
+diff -u arpwatch/bihourly:1.1.1.1 arpwatch/bihourly:1.1.1.1.18.1
+--- arpwatch/bihourly:1.1.1.1 Tue Apr 17 13:31:36 2001
++++ arpwatch/bihourly Wed Aug 11 21:54:18 2004
+@@ -11,6 +11,7 @@
+ list=`cat list`
+ cname=`cat cname`
+ errs=/tmp/bihourly.$$
++errs=`tempfile -p arpbh -s .tmp`
+ #
+ alist=""
+ for r in $list; do \
+Index: arpwatch/mkdep
+diff -u arpwatch/mkdep:1.1.1.1 arpwatch/mkdep:1.1.1.1.18.1
+--- arpwatch/mkdep:1.1.1.1 Tue Apr 17 13:31:37 2001
++++ arpwatch/mkdep Wed Aug 11 21:54:18 2004
+@@ -51,7 +51,7 @@
+ exit 1
+ fi
+
+-TMP=/tmp/mkdep$$
++TMP=`tempfile -p mkdep -s .tmp`
+
+ trap 'rm -f $TMP ; exit 1' 1 2 3 13 15
+
--- /dev/null
+Index: arpwatch/Makefile.in
+diff -u arpwatch/Makefile.in:1.1.1.1 arpwatch/Makefile.in:1.1.1.1.30.1
+--- arpwatch/Makefile.in:1.1.1.1 Tue Apr 17 13:31:36 2001
++++ arpwatch/Makefile.in Thu Aug 12 15:10:44 2004
+@@ -65,7 +65,7 @@
+ @rm -f $@
+ $(CC) $(CFLAGS) -c $(srcdir)/$*.c
+
+-CSRC = db.c dns.c ec.c file.c intoa.c machdep.c util.c report.c setsignal.c
++CSRC = db.c dns.c ec.c file.c intoa.c machdep.c util.c report.c localhost.c setsignal.c
+ WSRC = arpwatch.c
+ SSRC = arpsnmp.c
+ GENSRC = version.c
+@@ -77,7 +77,7 @@
+ OBJ = $(WSRC:.c=.o) $(SSRC:.c=.o) $(CSRC:.c=.o) $(GENSRC:.c=.o) @LIBOBJS@
+ WOBJ = $(WSRC:.c=.o) $(CSRC:.c=.o) $(GENSRC:.c=.o) @LIBOBJS@
+ SOBJ = $(SSRC:.c=.o) $(CSRC:.c=.o) $(GENSRC:.c=.o) @LIBOBJS@
+-HDR = arpwatch.h db.h dns.h ec.h file.h machdep.h report.h setsignal.h
++HDR = arpwatch.h db.h dns.h ec.h file.h machdep.h report.h localhost.h setsignal.h
+
+ TAGHDR = \
+ /usr/include/net/if.h \
+Index: arpwatch/localhost.c
+diff -u /dev/null arpwatch/localhost.c:1.1.2.1
+--- /dev/null Sat Aug 14 03:19:35 2004
++++ arpwatch/localhost.c Fri Aug 13 01:51:30 2004
+@@ -0,0 +1,70 @@
++/* A slightly more convenient wrapper for gethostname
++
++ Copyright (C) 1996 Free Software Foundation, Inc.
++
++ Written by Miles Bader <miles@gnu.ai.mit.edu>
++
++ This program is free software; you can redistribute it and/or
++ modify it under the terms of the GNU General Public License as
++ published by the Free Software Foundation; either version 2, or (at
++ your option) any later version.
++
++ This program is distributed in the hope that it will be useful, but
++ WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ General Public License for more details.
++
++ You should have received a copy of the GNU General Public License
++ along with this program; if not, write to the Free Software
++ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */
++
++#ifdef HAVE_CONFIG_H
++#include <config.h>
++#endif
++
++#include <unistd.h>
++#include <malloc.h>
++#include <stdlib.h>
++#include <string.h>
++#include <errno.h>
++
++#include "localhost.h"
++/* Return the name of the localhost. This is just a wrapper for gethostname,
++ which takes care of allocating a big enough buffer, and caches the result
++ after the first call (so the result should be copied before modification).
++ If something goes wrong, 0 is returned, and errno set. */
++char *
++localhost (void)
++{
++ static char *buf = 0;
++ static size_t buf_len = 0;
++ int myerror = 0;
++
++ if (! buf) {
++ do {
++ errno = 0;
++ if (buf) {
++ buf_len += buf_len;
++ buf = realloc (buf, buf_len);
++ } else {
++ buf_len = 128; /* Initial guess */
++ buf = malloc (buf_len);
++ }
++ if (! buf) {
++ errno = ENOMEM;
++ return 0;
++ }
++ } while ( (
++ (myerror = gethostname(buf, buf_len)) == 0
++ && !memchr (buf, '\0', buf_len))
++ || errno == ENAMETOOLONG
++ );
++
++ if (myerror) {
++ /* gethostname failed, abort. */
++ free (buf);
++ buf = "(unknown host)";
++ }
++ }
++ return buf;
++}
+Index: arpwatch/localhost.h
+diff -u /dev/null arpwatch/localhost.h:1.1.2.1
+--- /dev/null Sat Aug 14 03:19:35 2004
++++ arpwatch/localhost.h Fri Aug 13 01:51:30 2004
+@@ -0,0 +1 @@
++char * localhost(void);
+Index: arpwatch/report.c
+diff -u arpwatch/report.c:1.1.1.1 arpwatch/report.c:1.1.1.1.30.2
+--- arpwatch/report.c:1.1.1.1 Tue Apr 17 13:31:37 2001
++++ arpwatch/report.c Fri Aug 13 01:49:30 2004
+@@ -67,6 +67,7 @@
+ #include "report.h"
+ #include "setsignal.h"
+ #include "util.h"
++#include "localhost.h"
+
+ #define PLURAL(n) ((n) == 1 || (n) == -1 ? "" : "s")
+
+@@ -300,7 +301,7 @@
+ syslog(LOG_ERR, "unlink(%s): %m", tempfile);
+ }
+
+- (void)fprintf(f, "From: %s\n", watchee);
++ (void)fprintf(f, "From: arpwatch (Arpwatch %s)\n", localhost());
+ (void)fprintf(f, "To: %s\n", watcher);
+ hn = gethname(a);
+ if (!isdigit(*hn))
--- /dev/null
+Index: arpwatch/db.c
+diff -u arpwatch/db.c:1.1.1.1 arpwatch/db.c:1.1.1.1.32.1
+--- arpwatch/db.c:1.1.1.1 Tue Apr 17 13:31:36 2001
++++ arpwatch/db.c Thu Aug 12 15:27:22 2004
+@@ -95,6 +95,11 @@
+ u_char *e2;
+ time_t t2;
+
++ /* Ignore 0.0.0.0 */
++ if (a == 0) {
++ return(1);
++ }
++
+ /* Lookup ip address */
+ ap = ainfo_find(a);
+
--- /dev/null
+Index: arpwatch/arpwatch.c
+diff -u arpwatch/arpwatch.c:1.1.1.1 arpwatch/arpwatch.c:1.1.1.1.20.1
+--- arpwatch/arpwatch.c:1.1.1.1 Tue Apr 17 13:31:36 2001
++++ arpwatch/arpwatch.c Thu Aug 12 23:51:51 2004
+@@ -223,9 +223,10 @@
+
+ /* Determine network and netmask */
+ if (pcap_lookupnet(interface, &net, &netmask, errbuf) < 0) {
+- (void)fprintf(stderr, "%s: bad interface %s: %s\n",
+- prog, interface, errbuf);
+- exit(1);
++ syslog(LOG_NOTICE, "bad interface %s: %s - assuming unconfigured interface",
++ interface, errbuf);
++ net = 0;
++ netmask = 0;
+ }
+
+ /* Drop into the background if not debugging */