Excluding address ranges in arpd/honeyd

["Williams Jon" <WilliamsJonathan () JohnDeere com>]

Honeypots are cool, right?  Looks like a good way to help identify worms
and bad people, right?  So, I set up honeyd on a subnet that's all mine,
set up rules, and fire up arpd and honeyd.

My first tests worked fine.  I specified the unused portion of the local
subnet.  That all worked, generated dynamic hosts and everything.  Now,
I get a bit more ambitious.  The plan is to send any packet that isn't
destined to an allocated network inside the WAN and route them to the
honeypot.  Looking through the docs, I see that if I don't specify an IP
address/network on the commandline, the default behavior for both arpd
and honeyd is to just look at all IP traffic.

So, now my IDS starts seeing something odd.  It is getting packets
sourced from 224.0.0.2, an IANA-reserved multicast address that is NEVER
supposed to be the source of any packet, destined to the default router
in my local subnet.  Checking further, it appears that honeyd happily
responded, just as configured, to the HSRP packets being sent to
224.0.0.2 with an ICMP port unreach, source by the multicast address!

Now, the router guys tell me that this is a Bad Thing(TM).  I don't want
to hose the network, so I figure I either need to figure out how to
exclude networks from being virtualized by honeyd or I need to abandon
this whole thing.  Whipping out The Fine Manual, I looked to see if the
commandline was standard BPF or not, and it appears to be not, even
though both programs seem to use BPF notation internally.

My question is this: how do I configure arpd and honeyd to honeypot all
addresses EXCEPT certain ones?  If I were doing a BPF, I think it'd read
"not net 224.0.0.0/8 and not net 192.168.1.0/24".

Thanks.

Jon