josy1024/arp_find_who-has_requests.sh

## arp_find_who-has_requests.sh
#!/bin/bash
#
# inspired from: Zeitmanagement für Systemadministratoren Thomas A. Limoncelli

#take a sample of 100 requests...
# -i any (most systems have more than one interface)
tcpdump -i any -l -n arp | grep 'who-has' |head -100 > /tmp/arprequests.txt

# wich sources?
cat /tmp/arprequests.txt | awk '{ print $NF }' | sort | uniq -c | sort -nr

#magic with DNS!:
for ip in `cat /tmp/arprequests.txt | awk '{ print $NF }'`; do dig +noall +answer -x $ip; done | awk '{ print $NF }' | sort | uniq -c | sort -nr
# soumetimes $(NF-1)
for ip in `cat /tmp/arprequests.txt | awk '{ print $(NF-2) }'`; do dig +noall +answer -x $ip; done | awk '{ print $NF }' | sort | uniq -c | sort -nr

# wich targets?
# (usually monitoring system...)
cat /tmp/arprequests.txt | awk '{ print $4 }' | sort | uniq -c | sort -nr

#DNS
for ip in `cat /tmp/arprequests.txt | awk '{ print $4 }'`; do dig +noall +answer -x $ip; done | awk '{ print $NF }' | sort | uniq -c | sort -nr
	#!/bin/bash
	#
	# inspired from: Zeitmanagement für Systemadministratoren Thomas A. Limoncelli

	#take a sample of 100 requests...
	# -i any (most systems have more than one interface)
	tcpdump -i any -l -n arp \| grep 'who-has' \|head -100 > /tmp/arprequests.txt

	# wich sources?
	cat /tmp/arprequests.txt \| awk '{ print $NF }' \| sort \| uniq -c \| sort -nr

	#magic with DNS!:
	for ip in `cat /tmp/arprequests.txt \| awk '{ print $NF }'`; do dig +noall +answer -x $ip; done \| awk '{ print $NF }' \| sort \| uniq -c \| sort -nr
	# soumetimes $(NF-1)
	for ip in `cat /tmp/arprequests.txt \| awk '{ print $(NF-2) }'`; do dig +noall +answer -x $ip; done \| awk '{ print $NF }' \| sort \| uniq -c \| sort -nr

	# wich targets?
	# (usually monitoring system...)
	cat /tmp/arprequests.txt \| awk '{ print $4 }' \| sort \| uniq -c \| sort -nr

	#DNS
	for ip in `cat /tmp/arprequests.txt \| awk '{ print $4 }'`; do dig +noall +answer -x $ip; done \| awk '{ print $NF }' \| sort \| uniq -c \| sort -nr