The Neighbor Discovery Protocol Monitor (NDPMon) is a diagnostic software application used by Internet Protocol version 6 network administrators for monitoring ICMPv6 packets. NDPMon observes the local network for anomalies in the function of nodes using Neighbor Discovery Protocol (NDP) messages. When an NDP message is flagged, it notifies the administrator by writing to the syslog or by sending an email report. It may also execute a user-defined script. For IPv6, NDPMon is an equivalent of Arpwatch for IPv4, and has similar basic features.
NDPMon runs on Linux distributions, Mac OS X, FreeBSD (available as port), NetBSD et OpenBSD. It uses a configuration file containing the expected and valid behavior for nodes and routers on the link. This includes the routers addresses (MAC and IP) and the prefixes announced. NDPMon also maintains up-to-date a list of neighbors on the link.
[edit] Alerts and reports
NDPMon generates various reports and alerts, including:
- wrong couple MAC/IP: the MAC address is valid, so is the IP address, but not both of them together
- wrong router MAC: invalid MAC address
- wrong router IP address, invalid IP address
- wrong prefix: invalid IPv6 prefix
- wrong router redirect: the router which emitted the redirect is not valid
- router flag in Neighbor Advertisement: a node not declared as a router announced itself as one
- Duplicate Address Detection DOS: duplicate address detection denial of service
- flip flop: a node uses two MAC addresses one after the other
- reused old Ethernet address: reuse of an old MAC address
- Unknown MAC Manufacturer: MAC vendor unknown, might be a forged one
- new station: new node on the link
- new IPv6 Global Address: new IPv6 Global address for a node
- new IPv6 Link Local Address: new IPv6 Link Local address for a node
- Ethernet mismatch
- IP Multicast
- Ethernet Broadcast
[edit] See also
[edit] References
[edit] External links
