0

I'm trying to monitor my ARP table in linux using c++ and so far the only solution I have is polling the /proc/net/arp every interval and compare to the previous state.

Can I use netlink sockets in order to receive events from the kernel on these changes?

I have look around and cannot find a straight answer, I found tolls like ip-monitor but didn't found out how they get this data.

If netlink socket cannot provide this information, is there any other way to extract this with events and not polling?

Amir Rossert
  • 226
  • 2
  • 15
  • I can also manage with something like inotify to get event on change and then compare the current state to the previous but inotify can't monitor /proc – Amir Rossert May 22 '16 at 08:11
  • I have found [this](http://stackoverflow.com/questions/11788326/extract-current-route-from-netlink-message-code-attached) for monitoring routing table changes, can I use the same technique to monitor the ARP table? – Amir Rossert May 24 '16 at 07:45

1 Answers1

2

I was able to find how to get events on ARP table changes using netlink socket, the only thing that I have missing is how to extract the ARP details from the event but for now this will do:

int sock;
static struct sockaddr_nl g_addr;

/* Zeroing addr */
bzero(&g_addr, sizeof(g_addr));
g_addr.nl_family = AF_NETLINK;
g_addr.nl_groups = nl_mgrp(RTNLGRP_NEIGH);

if ((sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE)) < 0) {
    printf("socket() error: %s", strerror(errno));
    return -1;
}

if (bind(sock, (struct sockaddr *) &g_addr, sizeof(g_addr)) < 0) {
    printf("bind() error: %s", strerror(errno));
    return -1;
}

char buffer[4096];
int received_bytes = 0;

while (true) {
    received_bytes = recv(sock, buffer, sizeof(buffer), 0);
    if (received_bytes > 0) {
        printf("Event\n");
        // How to parse the event
    }
}
Amir Rossert
  • 226
  • 2
  • 15