How to monitor Ethernet Activity using Arpwatch Tool
To monitor Ethernet Activity using Arpwatch Tool
Arpwatch is a computer software open source program. It monitors the ARP activity over the network and detects ARP spoofing. It also maintains the database of Ethernet/IP address pairings. Arpwatch gives a list of noticed pairing IP and MAC addresses. Techniques to monitor Ethernet Activity using Arpwatch Tool in Linux is illustrated in this tutorial with examples.
To Install Arpwatch
Arpwatch can be installed using apt-get command and yum command.
On Ubuntu/Debian Systems
$ sudo apt-get install arpwatch
On Fedora Systems
$ sudo dnf install arpwatch
On CentOS/RedHat Systems
To install the arpwatch, run the yum command in the terminal.
[[email protected] Desktop]# yum install arpwatch Loaded plugins: fastestmirror, refresh-packagekit, security Setting up Install Process Loading mirror speeds from cached hostfile * base: centos.webwerks.com * extras: centos.webwerks.com * updates: mirror.nbrc.ac.in Resolving Dependencies --> Running transaction check ---> Package arpwatch.x86_64 14:2.1a15-14.el6 will be installed . . . Running Transaction Test Transaction Test Succeeded Running Transaction Installing : 14:arpwatch-2.1a15-14.el6.x86_64 1/1 Verifying : 14:arpwatch-2.1a15-14.el6.x86_64 1/1 Installed: arpwatch.x86_64 14:2.1a15-14.el6 Complete!
The important arpwatch files are as follows:
/etc/rc.d/init.d/arpwatch : Service for start or stop daemon.
/etc/sysconfig/arpwatch : Main configuration file
/usr/sbin/arpwatch : Binary command to start and stop tool using the terminal.
/var/arpwatch/arp.dat : Main database file where IP/MAC addresses are recorded.
/var/log/messages : It is the system log file.
Location may differ based on your operating system.
To start the arpwatch service
Execute the following command to start the arpwatch service.
[[email protected] Desktop]# /etc/init.d/arpwatch start Starting arpwatch: [ OK ] [[email protected] Desktop]# chkconfig --level 35 arpwatch on
Arpwatch Commands and usage
To watch a specific interface
Execute the Arpwatch command with -i option with the device name to watch a specific interface.
[[email protected] Desktop]# arpwatch -i eth0
The syslog entries at ‘ /var/log/syslog‘ or ‘ /var/log/message‘ file says that there is a new MAC or IP is changing the MAC address in the network.
[[email protected] Desktop]# tail -f /var/log/messages Apr 28 04:27:58 linuxhelp arpwatch: listening on eth0 Apr 28 04:27:59 linuxhelp arpwatch: new station 192.168.5.12 54:be:f7:38:a6:0 Apr 28 04:28:04 linuxhelp arpwatch: new station 192.168.5.20 0:22:4d:9f:6e:41 Apr 28 04:28:04 linuxhelp arpwatch: new station 192.168.5.1 3c:61:4:6c:d6:81 Apr 28 04:28:04 linuxhelp arpwatch: new station 192.168.5.177 0:c:29:10:e1:fd Apr 28 04:29:03 linuxhelp arpwatch: listening on eth0 Apr 28 04:29:04 linuxhelp arpwatch: new station 192.168.5.12 54:be:f7:38:a6:0 Apr 28 04:29:09 linuxhelp arpwatch: new station 192.168.5.177 0:c:29:10:e1:fd Apr 28 04:29:09 linuxhelp arpwatch: new station 192.168.5.1 3c:61:4:6c:d6:81 Apr 28 04:29:21 linuxhelp arpwatch: new station 192.168.5.20 0:22:4d:9f:6e:41
To check current ARP table
Execute the below command to check current ARP table.
[[email protected] Desktop]# arp -a ? (192.168.5.1) at 3c:61:04:6c:d6:81 [ether] on eth0
To send an alert to custom email id
Open the main configuration file ‘ /etc/sysconfig/arpwatch’ and add the email address. The mail notification will be sent to the specified mail id with log details.
OPTIONS=" -u arpwatch -e [email protected] -s ' root (Arpwatch)' "
It is used to record the Hostname, IP address, MAC address, Vendor name and timestamps.