Today I will mention about arpwatch utility (developed by LBNL’s Network Research Group) as it is a small and very useful tool that will keep track of the Ethernet/IP address pairings and log every change which you can monitor and analyze.
I am using Debian so I will just execute apt-get to install arpwatch:
$ sudo apt-get install arpwatch
Default application arguments are stored in /etc/default/arpwatch configuration file:
# Global options for arpwatch(8). # Debian: don't report bogons, don't use PROMISC. ARGS="-N -p" # Debian: run as `arpwatch' user. Empty this to run as root. RUNAS="arpwatch"
As you see arpwatch is not reporting any bogons (see “Log messages” below) by default so you need to remove the -N parameter to disable this behavior.
Main configuration is stored in /etc/arpwatch.conf file:
# /etc/arpwatch.conf: Debian-specific way to watch multiple interfaces. # Format of this configuration file is: # #<dev1> <arpwatch options for dev1> #<dev2> <arpwatch options for dev2> #... #<devN> <arpwatch options for devN> # # You can set global options for all interfaces by editing # /etc/default/arpwatch # For example: #eth0 -m root #eth1 -m root #eth2 -m root # or, if you have an MTA configured for plussed addressing: # #eth0 -m root+eth0 #eth1 -m root+eth1 #eth2 -m root+eth2
Use this file to define list of interfaces and additional parameters.
Use /etc/init.d/arpwatch script to start or stop service.
This IP address doesn’t belong to the local subnet:
Mar 2 16:21:38 dhcp arpwatch: bogon 192.168.0.110 0:30:13:a0:a:1d
This Ethernet/IP address pair has not been seen before:
Jul 1 18:11:15 dhcp arpwatch: new station 126.96.36.199 d4:2a:d1:61:6:84
This Ethernet/IP address pair has been used for the first time (six months period or more):
Jul 4 13:51:04 dhcp arpwatch: new activity 188.8.131.52 0:81:28:12:b3:d
Ethernet address has changed:
Jul 6 18:31:25 dhcp arpwatch: changed ethernet address 184.108.40.206 fc:55:43:31:7:14 (0:71:12:2f:5a:12)
Ethernet address has changed to the previous one:
Jul 27 17:27:19 dhcp arpwatch: flip flop 220.127.116.11 0:71:12:2f:5a:12 (fc:55:43:31:7:14)
Ethernet address has changed to the older one:
Jul 29 13:32:13 dhcp arpwatch: reused old ethernet address 18.104.22.168 0:34:52:31:a:1d (d4:b1:d4:16:69:68)
In case you use different operating system like OpenBSD then you need to edit /etc/rc.local file and add arpwatch command with parameters to start it at boot.
# $OpenBSD: rc.local,v 1.39 2006/07/28 20:19:46 sturm Exp $ # Site-specific startup actions, daemons, and other things which # can be done AFTER your system goes into securemode. For actions # which should be done BEFORE your system has gone into securemode # please see /etc/rc.securelevel. echo -n 'starting local daemons:' # Add your local startup actions here. if [ -x /usr/local/sbin/arpwatch -a -d /var/arpwatch ]; then /usr/local/sbin/arpwatch -i fxp0 -n 10.0.1.0/24 -n 10.0.2.0/24 echo -n ' arpwatch' fi echo '.'