Arpwatch Tool to Monitor Ethernet Activity in Linux

As a system administrator, it is crucial to keep an eye on network activity in order to ensure security and detect any anomalies. In Linux, one useful tool for monitoring Ethernet activity is Arpwatch. In this article, we will explore what Arpwatch is, how it works, and how to use it effectively.

What is Arpwatch?

Arpwatch is a network monitoring tool that tracks Ethernet/IP address pairings and alerts administrators when changes occur. It monitors ARP (Address Resolution Protocol) activity, which maps IP addresses to MAC addresses on local networks.

Arpwatch is particularly useful for detecting potential network attacks such as ARP spoofing or MAC address spoofing, which can be used to intercept network traffic or launch man-in-the-middle attacks.

How Arpwatch Works

Arpwatch operates by listening to Ethernet traffic and maintaining a database of all observed IP/MAC address pairings. When it detects changes?such as a new IP address mapping to a different MAC address?it sends alerts to the system administrator.

Arpwatch can be configured to run as a daemon, continuously monitoring network activity in the background and alerting administrators when it detects any changes.

Installing Arpwatch

Arpwatch can be installed on most Linux distributions using the package manager. On Debian-based systems, use the following command

sudo apt-get install arpwatch

On Red Hat-based systems, use

sudo yum install arpwatch

Configuring Arpwatch

Once installed, Arpwatch needs to be configured before it can start monitoring. The configuration file is located at /etc/arpwatch.conf.

Here is an example configuration file

# arpwatch.conf
# Interface to monitor
DEVICE=eth0
# Email address to send alerts to
#EMAIL_ADDRESS=root
# File to store ARP database
#ARP_FILE=/var/lib/arpwatch/arp.dat
# Run as daemon
#RUN_DAEMON=yes

To start Arpwatch, uncomment the RUN_DAEMON=yes line and save the file. Then, start the Arpwatch service

sudo service arpwatch start

Viewing Arpwatch Alerts

When Arpwatch detects changes in ARP activity, it sends alerts to the email address specified in the configuration file. The alert includes information about the new IP/MAC address pairing and the previous pairing.

Example alert

This is arpwatch program, also known as etherwatch.
There was a change in status for ethernet address
00:11:22:33:44:55 on network interface eth0:

   Previous status: 192.168.1.100 00:11:22:33:44:55
   New status: 192.168.1.101 00:11:22:33:44:55

Arpwatch also logs ARP activity to a file. The default location is /var/lib/arpwatch/arp.dat. View the database using

sudo arpwatch /var/lib/arpwatch/arp.dat

Arpwatch Command Options

Arpwatch provides several command-line options to customize its behavior

Example usage with options

sudo arpwatch -r -d

Advanced Features

MAC Address Whitelisting

To prevent false alerts from devices that frequently change MAC addresses (smartphones, laptops), you can whitelist MAC addresses by adding them to the arp.dat file

xx:xx:xx:xx:xx:xx	ignore

DHCP Integration

For networks using DHCP, enable DHCP snooping to correlate MAC addresses with assigned IP addresses. Add this line to the configuration file

dhcp-snooping

DNS Resolution

To display hostnames instead of IP addresses in logs and alerts, enable DNS resolution

resolve

Conclusion

Arpwatch is a powerful network monitoring tool that helps detect potential security threats by tracking ARP activity and alerting administrators to changes. With its simple installation process and flexible configuration options, Arpwatch is an essential tool for Linux network security monitoring.