#!/bin/sh
PATH=/bin:/sbin:/usr/bin:/usr/sbin:`echo $0|sed -e 's/\/[^\/]*$//'`
while [ 1 ]; do

arpcache=`mktemp /tmp/arpwatcher.XXXX`
arp -an > $arpcache

all=`grep -v incomplete ${arpcache} |wc -l`
unique=`grep -v incomplete ${arpcache} |cut -d " " -f 4|sort -u|wc -l`
defaultroute_ip=`route -n get 0/0|awk -F :\  '/gateway/ {print $2}'`

if [ "X${defaultroute_ip}" != "X" ]; then
	defaultroute_arp=`grep \(${defaultroute_ip}\) ${arpcache}|cut -d " " -f 4`

	if [ ${all} != ${unique} -a "X${defaultroute_ip}" != "X" ]; then
		cat << EOM | growlnotify -s -p 2 -t spoofed gateway?
		gateway mac may be spoofed.  dupes follow:
		`awk '{++dupe[$4]} END {for ( item in dupe ) if (dupe[item] > 1) print item}' ${arpcache}`
EOM
	fi

	if [ "X${last_arp}" == "X" -a "X${defaultroute_arp}" != "X" ]; then
		cat << EOM | growlnotify
		new gateway
		$defaultroute_arp
EOM
	fi	

	if [ "X${last_arp}" != "X${defaultroute_arp}"  \
	     -a "X${defaultroute_arp}" != "X" \
	     -a "X${last_arp}" != "X" ];then
		cat << EOM | growlnotify -s -p 2 -t gateway\ changed\!
		it could be nothing, but ...
		old: ${last_arp}
		new: ${defaultroute_arp}
EOM
	fi

	last_arp=${defaultroute_arp}
	
fi # end check for IP
rm ${arpcache}

# loopy loop loop
sleep 5
done