How to: Detect ARP Spoofing with “arpwatch” under Linux January 9, 2011Posted by Tournas Dimitrios in Linux admin tools.
My previous article outlined the ARP protocol , so I assume that you already know the basic concepts of communication between computers on a LAN environment . Some people are using this “communication model ” to compromise a network . Fortunately for us there are lot of utilities available to track these attacks , arpwatch is my personal favorite . This simple tool will help you watch changing IP Addresses and MAC Addresses on your network. It will list the information with a timestamp so you can carefully watch the activity. The primary limitation of arpwatch comes from being restricted to local traffic . It is not a tool that can be used across networks . If you need to watch several networks , you will need to start arpwatch on each of those networks .
The information can be recorded in one of four ways :
- Data may be written directly to the system console
- to the system’s syslog file
- to a user-specidied text file
- or it can be sent as an email to root (althroug it can be configured to be send to other mail)
Arpwatch is not by default installed on any Linux distribution , so it must be installed manually . My favorite distro is CentOs 5.x and I use yum to make the installation on my box :
” yum install arpwatch ”
Lets first focus on the most important files that this utility installs on a CentOs box (although the concepts remain the same for all distro’s , the location of the files are slightly differently ) .
[root@dhcppc1 ~]# rpm -ql arpwatch
- /etc/rc.d/init.d/arpwatch : The “service arpwatch [start|stop|status|restart] ” and
” chkconfig –list arpwatch” commands controls the status of the deamon .
- /etc/sysconfig/arpwatch : The main configuration file , defines with what user id arpwatch should run , the where to send the report etc …
- /usr/sbin/arpwatch : Starting and stoping the utility via the terminal
- /var/arpwatch/arp.dat : Plain text database-file where are mappings ( IP / MAC ) are recorded .
- /var/arpwatch/ethercodes.dat : This file maps MAC with ventor of the NIC ‘s . Propably it is outdated , so the latest NIC ‘s are not included .
- /var/log/messages : Of course, with the syslog file, these messages will be interspersed with many other messages, but you can easily use grep to extract them. For example, to write all the messages from arpwatch that were recorded in /var/log/messages into the file /temp/arp.data, you can use the command:
” grep arpwatch /var/log/messages > /tmp/arp.list “
After the installation process follow these steps :
- chkconfig – -level 35 arpwatch on
- edit the main configuration file ( actually this is not necessary )
eth0 -a -n 192.168.1.0/24 -m email@example.com
- start the daemon : service arpwatch start
- Verify that the process is running : ps -ef |grep arpwatch
- Vuala !!!! the daemon will alarm you with an email if a new MAC (NIC ) is plugged on the network or a specific IP is changing his MAC address .
If you are running DHCP on your LAN and find arpwatch ‘s output annoying , you may want to avoid arpwatch . But if you are facing problems with DHCP , arpwatch might , in limited circumstances be useful .
You can watch particular interface with command:
arpwatch -i eth0
You will notice syslog entries as follows /var/log/syslog file (or /var/log/message file) when changes are made i.e MAC/IP address pair is changed:
tail -f /var/log/syslog