grab the default gateway sh script error

Question

I make the script for monitoring the MAC address of the default gateway and alerts if found ARP attack. But i got some error in the execution.

I cant return the results with te regular expressions. This is for linux scripts

#!/bin/bash
function getmac {
dg = netstat -rn | grep -Eo 'default.*([0-9]{1,3}\.){3}[0-9]{1,3}'  #grab the default gateway (DG)
dg_ip= $dg | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}'         #strip the DG to just IP
dg_arp = arp -a | grep -w $dg_ip                                    #grab the arp entry for DG
dg_mac=$(echo $dg_arp | grep -Eo '[0-9a-f]{1,2}[:-][0-9a-f]{2}[:-][0-9a-f]{2}[:-][0-9a-f]{2}[:-][0-9a-f]{2}[:-][0-9a-f]{2}') #strip the ARP entry to just the MAC
echo "netstat shows "$dg
echo "DG IP shows "$dg_ip
echo "arp shows "$dg_arp
echo "DG MAC shows "$dg_mac
}

Thanks in advance and sorry from my english.

Answer 1

I would advice you to use a tool like arpwatch for that.

However, as you requested help I've prepared a bash function that should do what you are looking for:

#!/bin/bash

# The function expects an interface name
# such as 'eth0' as param
#
function getmac {
    interface="$1"
    # grab the ip of the default gateway
    dg=`route -n | grep UG | grep "$interface"`
    # extract the IP from netstat's output
    dg_ip=`echo "$dg" | awk '{print $2}'`
    # grab the arp entry for default gateway
    dg_arp=`arp -a "$dg_ip"`                                    
    # strip the ARP entry to just the MAC
    dg_mac=`echo "$dg_arp" | awk '{print $4}'`

    # output
    echo "netstat shows $dg"
    echo "DG IP shows $dg_ip"
    echo "arp shows $dg_arp"
    echo "DG MAC shows $dg_mac"
}

# test it with eth0
getmac "eth0"