jump to navigation

How to: Detect ARP Spoofing with “arpwatch” under Linux January 9, 2011

Posted by Tournas Dimitrios in Linux admin tools.

My previous article outlined the  ARP protocol , so I assume that you already know the basic concepts of communication between computers on a LAN  environment  . Some people are using this “communication model ” to compromise a network . Fortunately for us there are lot of utilities available to track these attacks , arpwatch is my personal  favorite . This  simple tool  will help you watch changing IP Addresses and MAC Addresses on your network.  It will list  the information with a timestamp so you can carefully watch the activity. The primary limitation of arpwatch comes from being restricted to local traffic . It is not a tool that can be used across networks . If you need to watch several networks , you will need to start arpwatch on each of those networks .

The information can be recorded in one of four ways :

  1. Data may be written directly to the system console
  2. to the system’s syslog file
  3. to a user-specidied text file
  4. or it can be sent as an email to root (althroug it can be configured to be send to other mail)

Arpwatch is not by default installed on any Linux distribution , so it must be installed manually . My favorite distro is CentOs 5.x and I use yum to make the installation on my box :
yum install arpwatch

Lets first focus on the most important files that this utility installs on a CentOs box (although the concepts remain the same for all distro’s , the location of the files are slightly differently ) . 

[root@dhcppc1 ~]# rpm -ql arpwatch

  • /etc/rc.d/init.d/arpwatch  : The “service arpwatch [start|stop|status|restart] ” and
    ” chkconfig –list arpwatch” commands controls the status of the deamon  .
  • /etc/sysconfig/arpwatch  : The main configuration file , defines with what user id arpwatch should run , the where to send the report etc …
  • /usr/sbin/arpwatch : Starting and stoping the utility via the terminal
  • /var/arpwatch/arp.dat  : Plain text database-file where are mappings ( IP / MAC ) are recorded .
  • /var/arpwatch/ethercodes.dat  : This file maps MAC with ventor of the NIC ‘s . Propably it is outdated , so the latest NIC ‘s are not included .
  • /var/log/messages : Of course, with the syslog file, these messages will be interspersed with many other messages, but you can easily use grep to extract them. For example, to write all the messages from arpwatch that were recorded in /var/log/messages into the file /temp/arp.data, you can use the command:
    ” grep  arpwatch  /var/log/messages > /tmp/arp.list

After the installation process follow these steps :

  1. chkconfig   – -level 35  arpwatch  on
  2. edit the main configuration file ( actually this is not necessary )
    eth0 -a -n -m youremail@mydomain.com
  3. start  the daemon :  service  arpwatch  start
  4. Verify that the process is running :  ps  -ef  |grep arpwatch
  5. Vuala !!!!    the daemon will alarm you with an email if a new MAC (NIC ) is plugged on the network or a specific IP is changing his MAC address .

Here is an example of an email report that a new NIC (MAC) is connected on the network .

This example notify that an IP is changing his MAC address .

If you are running DHCP on your LAN and find arpwatch ‘s  output annoying  , you may want to avoid arpwatch . But if you are facing problems with DHCP , arpwatch might , in limited circumstances be useful .

You can watch particular interface with command:  arpwatch -i eth0

You will notice syslog entries as follows /var/log/syslog file (or /var/log/message file) when changes are made i.e MAC/IP address pair is changed:  tail -f /var/log/syslog

Run the following commands from terminal.
sudo apt-get install arpwatch
Create empty file for storing host information:
sudo touch /var/lib/arpwatch/arp.dat
Edit the config file:
sudo nano /etc/arpwatch.conf
insert line like this:
eth0 -a -n -m youremail@mydomain.com
Restart arpwatch:
sudo /etc/init.d/arpwatch restart
Check if the process is running:
ps –ef | grep arpwatch
root 218 1 0 11:38 ? 00:00:00 /usr/sbin/arpwatch ...


No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s