#998515 arpwatch generates malformed emails.

Package:
arpwatch
Source:
arpwatch
Description:
Ethernet/FDDI station activity monitor
Submitter:
Yanko Hernandez Alvarez
Date:
2021-11-05 15:21:03 UTC
Severity:
important
Tags:
#998515#5
Date:
2021-11-04 18:16:12 UTC
From:
To:
Dear Maintainer,

After I installed arpwatch

    apt-get install arpwatch

and enabled it

    systemctl enable arpwatch@eth0
    systemctl start arpwatch@eth0

arpwatch sends malformed emails (no subject, mail body prefix truncated, mail body inside mail headers) such as the attached examples.

#998515#10
Date:
2021-11-04 22:41:35 UTC
From:
To:
Hi Yanko,

thanks for your report!  Please help me to understand what's happening
by providing the following information:

* How exactly is arpwatch invoked? Please provide the output of
  `ps -U arpwatch -F` or (in case that doesn't show any processes)
  `ps -eF | grep arpwatch`.

* The output of `dpkg -S /usr/lib/sendmail` so I know which Debian
  package is providing the /usr/lib/sendmail binary installed in your
  system.

Thanks
Lukas

#998515#17
Date:
2021-11-05 12:25:08 UTC
From:
To:
"ps -U arpwatch -F" output
	UID          PID    PPID  C    SZ   RSS PSR STIME TTY          TIME
CMD
	arpwatch   10821       1  0  3044  6124   1 Nov04 ?        00:00:01
/usr/sbin/arpwatch -u arpwatch -i eth0 -f eth0.dat -N -p -F

"dpkg -S /usr/lib/sendmail" output
	postfix: /usr/lib/sendmail

#998515#22
Date:
2021-11-05 15:16:40 UTC
From:
To:
Thanks for providing the details!  Unfortunately I still don't have a
good idea of what could be causing the broken/truncated mails you're
seeing.  I have a very similar setup and things are working fine here.


The way arpwatch creates and sends reports is roughly as follows:

* Create a temporary file in /tmp, immediately unlink it (but keep the
  file descriptor open).
* Write the report to that file descriptor.  The report has all the
  headers first, followed by two newlines and finally the body.
* Once finished writing the report, seek the file descriptor back to
  position 0, launch sendmail and pass the file descriptor to it as
  standard input.


Looking at the broken e-mails you attached, it appears that sendmail
doesn't receive the complete content of the report but it starts at
some offset (not always exactly the same).  I'm not yet sure how that
can happen.

Can you check that your filesystem in /tmp isn't (almost) full?  Also
make sure no other filesystem is (almost) full (I believe postfix
spools e-mails to somewhere in /var).


If that doesn't help, my best ideas are:

1. Launch arpwatch by hand using the `-d` flag but with otherwise same
   parameters. That should print the reports to standard error so we
   can see if those are truncated as well.

2. Write a dummy sendmail replacement that just copies the reports
   somewhere, then direct arpwatch to use that instead. Then check if
   those reports are truncated as well.

I'm happy to help with (2) if we're still uncertain after all the other
steps.

Thanks & regards
Lukas