CentosFedoraLinuxMonitoring

Monitoring Ethernet Activity using Arpwatch in Linux

Arpwatch is an open source computer software program that helps you to monitor ethernet traffic activity (like Changing IP and MAC Addresses) on your network and maintains a database of ethernet/ip address pairings. It produces a log of noticed pairing of IP and MAC addresses information along with a timestamps, so you can carefully watch when the pairing activity appeared on the network. It also has the option to send reports via email to an network administrator when a pairing added or changed.
This tool is specially useful for Network administrators to keep a watch on ARP activity to detect ARP spoofing or unexpected IP/MAC addresses modifications.

Installing Arpwatch in Linux

By default, Arpwatch tool is not installed on any Linux distributions. We must install it manually using ‘yum‘ command on RHEL, CentOS, Fedora

# yum install arpwatch

and ‘apt-get‘ on Ubuntu, Linux Mint and Debian.

$ sudo apt-get install arpwatch

Let’s focus on the some most important arpwatch files, the location of the files are slightly differ based on your operating system.

  1. /etc/rc.d/init.d/arpwatch : The arpwatch service for start or stop daemon.
  2. /etc/sysconfig/arpwatch : This is main configuration file…
  3. /usr/sbin/arpwatch : Binary command to starting and stopping tool via the terminal.
  4. /var/arpwatch/arp.dat : This is main database file where IP/MAC addresses are recorded.
  5. /var/log/messages : The log file, where arpwatch writes any changes or unusual activity to IP/MAC.

Type the following command to start the arpwatch service.

# chkconfig --level 35 arpwatch on
# /etc/init.d/arpwatch start
$ sudo chkconfig --level 35 arpwatch on
$ sudo /etc/init.d/arpwatch start

Arpwatch Commands and Usage

To watch a specific interface, type the following command with ‘-i‘ and device name.

# arpwatch -i eth0

So, whenever a new MAC is plugged or a particular IP is changing his MAC address on the network, you will notice syslog entries at ‘/var/log/syslog‘ or ‘/var/log/message‘ file.

# tail -f /var/log/messages

Sample Output

Apr 13 12:45:17 lintut arpwatch: new station 192.168.1.80 60:eb:69:96:73:11
Apr 13 12:45:19 lintut arpwatch: new station 192.168.1.81 1c:65:9d:93:fc:e1
Apr 13 12:45:19 lintut arpwatch: new station 192.168.1.81 1c:65:9d:93:fc:e1
Apr 13 12:45:19 lintut arpwatch: new station 192.168.1.81 1c:65:9d:93:fc:e1
Apr 13 12:45:19 lintut arpwatch: new station 192.168.1.81 1c:65:9d:93:fc:e1

The above output displays new workstation. If any changes are made, you will get following output.

Apr 13 12:46:3 lintut arpwatch: changed station 192.168.1.80 82:f3:a3:87:26:34 (60:eb:69:96:73:11)
Apr 13 12:46:5 lintut arpwatch: changed station 192.168.1.81 82:f3:a3:87:26:34 (1c:65:9d:93:fc:e1)
Apr 13 12:46:5 lintut arpwatch: changed station 192.168.1.81 82:f3:a3:87:26:34 (1c:65:9d:93:fc:e1)
Apr 13 12:46:5 lintut arpwatch: changed station 192.168.1.81 82:f3:a3:87:26:34 (1c:65:9d:93:fc:e1)
Apr 13 12:46:5 lintut arpwatch: changed station 192.168.1.81 82:f3:a3:87:26:34 (1c:65:9d:93:fc:e1)

You can also check current ARP table, by using following command.

# arp -a

Sample Ouput

lintut.com (192.168.1.83) at 00:a3:be:12:26:13 [ether] on eth0
? (192.168.1.1) at 00:bc:6b:a3:57:bb [ether] on eth0

If you want to send alerts to your custom email id, then open the main configuration file ‘/etc/sysconfig/arpwatch‘ and add the email as shown below.

# -u : defines with what user id arpwatch should run
# -e : the where to send the reports
# -s : the -address
OPTIONS="-u arpwatch -e lintut@lintut.com -s 'root (Arpwatch)'"

Here is an example of an email report, when a new MAC is connected on.
hostname: centos
ip address: 192.168.1.81
interface: eth0
ethernet address: 1c:65:9d:93:fc:e1
ethernet vendor: GIGA-BYTE TECHNOLOGY CO.,LTD.
timestamp: Monday, April 13, 2013 15:32:29

Here is an example of an email report, when a IP changing his MAC address.
hostname: centos
ip address: 192.168.1.81
interface: eth0
ethernet address: 00:12:11:ab:e6:bd
ethernet vendor: GIGA-BYTE TECHNOLOGY CO.,LTD.
old ethernet address: 00:24:1d:76:e4:1d
timestamp: Monday, April 13, 2013 15:43:45
previous timestamp: Monday, April 13, 2013 15:32:29
delta: 9 minutes

As you can see above, it records, HostnameIP addressMAC addressVendor name andtimestamps. For more information, see the arpwatch man page by hitting ‘man arpwatch’ on the terminal.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close
Close