How to monitor Ethernet Activity using Arpwatch Tool
To monitor Ethernet Activity using Arpwatch Tool
Arpwatch is a computer software open source program. It monitors the ARP activity over the network and detects ARP spoofing. It also maintains the database of Ethernet/IP address pairings. Arpwatch gives a list of noticed pairing IP and MAC addresses. Techniques to monitor Ethernet Activity using Arpwatch Tool in Linux is illustrated in this tutorial with examples.
To Install Arpwatch
Arpwatch can be installed using apt-get command and yum command.
On Ubuntu/Debian Systems
$ sudo apt-get install arpwatch
On Fedora Systems
$ sudo dnf install arpwatch
On CentOS/RedHat Systems
To install the arpwatch, run the yum command in the terminal.
[root@linuxhelp Desktop]# yum install arpwatch
Loaded plugins: fastestmirror, refresh-packagekit, security
Setting up Install Process
Loading mirror speeds from cached hostfile
* base: centos.webwerks.com
* extras: centos.webwerks.com
* updates: mirror.nbrc.ac.in
Resolving Dependencies
--> Running transaction check
---> Package arpwatch.x86_64 14:2.1a15-14.el6 will be installed
.
.
.
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : 14:arpwatch-2.1a15-14.el6.x86_64 1/1
Verifying : 14:arpwatch-2.1a15-14.el6.x86_64 1/1
Installed:
arpwatch.x86_64 14:2.1a15-14.el6 Complete!
The important arpwatch files are as follows:
/etc/rc.d/init.d/arpwatch : Service for start or stop daemon.
/etc/sysconfig/arpwatch : Main configuration file
/usr/sbin/arpwatch : Binary command to start and stop tool using the terminal.
/var/arpwatch/arp.dat : Main database file where IP/MAC addresses are recorded.
/var/log/messages : It is the system log file.
Location may differ based on your operating system.
To start the arpwatch service
Execute the following command to start the arpwatch service.
[root@linuxhelp Desktop]# /etc/init.d/arpwatch start Starting arpwatch: [ OK ] [root@linuxhelp Desktop]# chkconfig --level 35 arpwatch on
Arpwatch Commands and usage
To watch a specific interface
Execute the Arpwatch command with -i option with the device name to watch a specific interface.
[root@linuxhelp Desktop]# arpwatch -i eth0
The syslog entries at ‘ /var/log/syslog‘ or ‘ /var/log/message‘ file says that there is a new MAC or IP is changing the MAC address in the network.
[root@linuxhelp Desktop]# tail -f /var/log/messages
Apr 28 04:27:58 linuxhelp arpwatch: listening on eth0
Apr 28 04:27:59 linuxhelp arpwatch: new station 192.168.5.12 54:be:f7:38:a6:0
Apr 28 04:28:04 linuxhelp arpwatch: new station 192.168.5.20 0:22:4d:9f:6e:41
Apr 28 04:28:04 linuxhelp arpwatch: new station 192.168.5.1 3c:61:4:6c:d6:81
Apr 28 04:28:04 linuxhelp arpwatch: new station 192.168.5.177 0:c:29:10:e1:fd
Apr 28 04:29:03 linuxhelp arpwatch: listening on eth0
Apr 28 04:29:04 linuxhelp arpwatch: new station 192.168.5.12 54:be:f7:38:a6:0
Apr 28 04:29:09 linuxhelp arpwatch: new station 192.168.5.177 0:c:29:10:e1:fd
Apr 28 04:29:09 linuxhelp arpwatch: new station 192.168.5.1 3c:61:4:6c:d6:81
Apr 28 04:29:21 linuxhelp arpwatch: new station 192.168.5.20 0:22:4d:9f:6e:41
To check current ARP table
Execute the below command to check current ARP table.
[root@linuxhelp Desktop]# arp -a
? (192.168.5.1) at 3c:61:04:6c:d6:81 [ether] on eth0
To send an alert to custom email id
Open the main configuration file ‘ /etc/sysconfig/arpwatch’ and add the email address. The mail notification will be sent to the specified mail id with log details.
OPTIONS=" -u arpwatch -e linuxhelp@gmail.com -s ' root (Arpwatch)' "
It is used to record the Hostname, IP address, MAC address, Vendor name and timestamps.