--- arpwatch-2.1a15-dist/arpwatch.c	2012-07-23 09:55:35.832458313 +0200

+++ arpwatch-2.1a15-new/arpwatch.c	2012-07-24 11:36:59.013953071 +0200

@@ -161,15 +161,63 @@ void dropprivileges(const char* user)

 	syslog(LOG_DEBUG, "Running as uid=%d gid=%d", getuid(), getgid());

 }

+char *

+get_first_dev(pcap_t **pd, int *linktype, char *errbuf)

+{

+	static char interface[IF_NAMESIZE + 1];

+	register int snaplen, timeout;

+	pcap_if_t *alldevs;

+	pcap_if_t *dev;

+	char *ret = NULL;

+

+	snaplen = max(sizeof(struct ether_header),

+				  sizeof(struct fddi_header)) + sizeof(struct ether_arp);

+	timeout = 1000;

+

+	if (pcap_findalldevs(&alldevs, errbuf) == -1) {

+		(void)fprintf(stderr, "%s: lookup_device: %s\n",

+					  prog, errbuf);

+		exit(1);

+	}

+

+	for (dev = alldevs; dev; dev = dev->next) {

+		strncpy(interface, dev->name, strlen(dev->name)+1);

+

+		*pd = pcap_open_live(interface, snaplen, 1, timeout, errbuf);

+		if (*pd == NULL) {

+			syslog(LOG_ERR, "pcap open %s: %s, trying next...", interface, errbuf);

+			continue;

+			/* exit(1); */

+		}

+

+		*linktype = pcap_datalink(*pd);

+		/* Must be ethernet or fddi */

+		if (*linktype != DLT_EN10MB && *linktype != DLT_FDDI) {

+			syslog(LOG_ERR, "(%s) Link layer type %d not ethernet or fddi, trying next...",

+				   interface, *linktype);

+			pcap_close(*pd);

+		}

+		else {

+			/* First match, use it */

+			ret = interface;

+			break;

+		}

+

+	}

+	pcap_freealldevs(alldevs);

+	return (ret);

+}

+

 int

 main(int argc, char **argv)

 {

 	register char *cp;

-	register int op, pid, snaplen, timeout, linktype, status;

+	register int op, pid, status;

+	int linktype;

 #ifdef TIOCNOTTY

 	register int fd;

 #endif

-	register pcap_t *pd;

+	pcap_t *pd;

 	register char *interface, *rfilename;

 	struct bpf_program code;

 	char errbuf[PCAP_ERRBUF_SIZE];

@@ -189,6 +237,7 @@ main(int argc, char **argv)

 	opterr = 0;

 	interface = NULL;

+	linktype = -1;

 	rfilename = NULL;

 	pd = NULL;

 	while ((op = getopt(argc, argv, "df:i:n:Nr:u:e:s:")) != EOF)

@@ -264,11 +313,12 @@ main(int argc, char **argv)

 		net = 0;

 		netmask = 0;

 	} else {

+

 		/* Determine interface if not specified */

 		if (interface == NULL &&

-		    (interface = pcap_lookupdev(errbuf)) == NULL) {

-			(void)fprintf(stderr, "%s: lookup_device: %s\n",

-			    prog, errbuf);

+			(interface = get_first_dev(&pd, &linktype, errbuf)) == NULL) {

+			(void)fprintf(stderr, "%s: lookup_device: no suitable interface found\n",

+						  prog);

 			exit(1);

 		}

@@ -317,10 +367,6 @@ main(int argc, char **argv)

 		}

 		swapped = pcap_is_swapped(pd);

 	} else {

-		snaplen = max(sizeof(struct ether_header),

-		    sizeof(struct fddi_header)) + sizeof(struct ether_arp);

-		timeout = 1000;

-		pd = pcap_open_live(interface, snaplen, 1, timeout, errbuf);

 		if (pd == NULL) {

 			syslog(LOG_ERR, "pcap open %s: %s", interface, errbuf);

 			exit(1);

@@ -340,14 +386,6 @@ main(int argc, char **argv)

 		dropprivileges( serveruser );

 	}

-	/* Must be ethernet or fddi */

-	linktype = pcap_datalink(pd);

-	if (linktype != DLT_EN10MB && linktype != DLT_FDDI) {

-		syslog(LOG_ERR, "Link layer type %d not ethernet or fddi",

-		    linktype);

-		exit(1);

-	}

-

 	/* Compile and install filter */

 	if (pcap_compile(pd, &code, "arp or rarp", 1, netmask) < 0) {

 		syslog(LOG_ERR, "pcap_compile: %s", pcap_geterr(pd));