Arpwatch Tool to Monitor Ethernet Activity in Linux

As a system administrator, it is crucial to keep an eye on network activity in order to ensure security and detect any anomalies. In Linux, one useful tool for monitoring Ethernet activity is Arpwatch. In this article, we will explore what Arpwatch is, how it works, and how to use it effectively.

What is Arpwatch?

Arpwatch is a tool that monitors Ethernet activity on a network. It is designed to keep track of Ethernet/IP address pairings (ARP activity) and alert system administrator when any changes occur. ARP (Address Resolution Protocol) is a protocol used to map an IP address to a MAC address on a local network.

Arpwatch is particularly useful for detecting potential network attacks such as ARP spoofing or MAC address spoofing, which can be used to intercept network traffic or launch a man-in-the-middle attack.

How Arpwatch Works

Arpwatch listens to Ethernet traffic on network and keeps a record of all IP/MAC address pairings it observes. It stores this information in a database, which it can then use to compare against any new ARP requests it receives. If it detects any changes, such as a new IP address mapping to a different MAC address, it will send an alert to system administrator.

Arpwatch can be configured to run as a daemon, meaning it will continuously monitor network activity in background, and alert administrator when it detects any changes.

Installing Arpwatch

Arpwatch can be installed on most Linux distributions using package manager. On Debian-based systems, you can install it using following command −

sudo apt-get install arpwatchre

On Red Hat-based systems, you can install it using following command −

sudo yum install arpwatch

Configuring Arpwatch

Once Arpwatch is installed, it needs to be configured before it can start monitoring network activity. configuration file for Arpwatch is located at /etc/arpwatch.conf.

Here is an example configuration file −

# arpwatch.conf
# Interface to monitor
DEVICE=eth0
# Email address to send alerts to
#EMAIL_ADDRESS=root
# File to store ARP database
#ARP_FILE=/var/lib/arpwatch/arp.dat
# Run as daemon
#RUN_DAEMON=yes

To start Arpwatch, uncomment RUN_DAEMON=yes line and save file. Then, start Arpwatch service using following command −

sudo service arpwatch start

Arpwatch will now begin monitoring Ethernet activity on specified network interface.

Viewing Arpwatch Alerts

When Arpwatch detects a change in ARP activity, it will send an alert to email address specified in configuration file. alert will include information about new IP/MAC address pairing, as well as previous pairing.

Here is an example alert −

This is arpwatch program, also known as etherwatch.
There was a change in status for ethernet address
00:11:22:33:44:55 on network interface eth0:

   Previous status: 192.168.1.100 00:11:22:33:44:55
   New status: 192.168.1.101 00:11:22:33:44:55

In addition to email alerts, Arpwatch can also log ARP activity to a file. default location for ARP database file is /var/lib/arpwatch/arp.dat. This file can be opened with a text editor or viewed using arpwatch command −

sudo arpwatch /var/lib/arpwatch/arp.dat

This will display a list of all IP/MAC address pairings that Arpwatch has detected and recorded.

Arpwatch Options

Arpwatch has several options that can be used to customize its behavior. Here are a few useful options −

• -n − Do not resolve hostnames.

• -r − Run in read-only mode (do not write to ARP database).

• -f − Specify an alternate location for ARP database file.

• -a − Append to ARP database file instead of overwriting it.

• -d − Increase debugging output.

For example, to run Arpwatch in read-only mode and display debugging output, you could use following command −

sudo arpwatch -r -d

Advanced Usage of Arpwatch

While the basic usage of Arpwatch is straightforward, there are some more advanced features that can be used to enhance its functionality.

MAC Address Whitelisting

By default, Arpwatch will alert you to any changes in the MAC address to IP address mappings on your network. However, if you have devices on your network that frequently change MAC addresses, such as smartphones or laptops, this can result in a lot of false alerts. To prevent this, you can whitelist MAC addresses that are allowed to change. This can be done by adding the MAC addresses to the arp.dat file located in the same directory as the Arpwatch logs. Each MAC address should be on a separate line in the following format −

xx:xx:xx:xx:xx:xx	ignore

In this example, xx:xx:xx:xx:xx:xx should be replaced with the MAC address that you want to whitelist.

DHCP Snooping

If your network uses DHCP to assign IP addresses to devices, you can enable DHCP snooping in Arpwatch. This will allow Arpwatch to correlate MAC addresses with their assigned IP addresses and provide more detailed information in its logs and alerts. To enable DHCP snooping, add the following line to the Arpwatch configuration file −

dhcp-snooping

DNS Resolution

By default, Arpwatch will only record IP addresses in its logs and alerts. However, if you want to see hostnames instead of IP addresses, you can enable DNS resolution in Arpwatch. To enable DNS resolution, add the following line to the Arpwatch configuration file −

resolve

This will cause Arpwatch to perform a reverse DNS lookup on each IP address it sees and include the hostname in its logs and alerts.

Conclusion

Arpwatch is a powerful tool for monitoring Ethernet activity on a network. By keeping track of ARP activity and alerting system administrator of any changes, it can help to detect potential network attacks and ensure network security. With its simple installation and configuration process, Arpwatch is a great addition to any Linux administrator's toolkit.