{"id":502,"date":"2016-05-16T15:37:17","date_gmt":"2016-05-16T19:37:17","guid":{"rendered":"http:\/\/easy-admin.ca\/?p=502"},"modified":"2017-06-09T08:33:53","modified_gmt":"2017-06-09T12:33:53","slug":"arpwatch-tool-to-monitor-ethernet-activity-in-linux","status":"publish","type":"post","link":"https:\/\/easy-admin.ca\/index.php\/2016\/05\/16\/arpwatch-tool-to-monitor-ethernet-activity-in-linux\/","title":{"rendered":"Arpwatch Tool to Monitor Ethernet Activity in Linux"},"content":{"rendered":"<p><span style=\"color: #ff0000;\"><strong>WARNING :<\/strong><\/span> BE CAREFUL USING ARPWATCH,<br \/>\nIT MAY CAUSE IP CONFLIC!<\/p>\n<p><strong>Arpwatch<\/strong> is an open source computer software program that helps you to monitor <strong>Ethernet<\/strong> traffic activity (like <strong>Changing IP<\/strong> and <strong>MAC Addresses<\/strong>) on your network and maintains a database of ethernet\/ip address pairings. It produces a log of noticed pairing of IP and MAC addresses information along with a timestamps, so you can carefully watch when the pairing activity appeared on the network. It also has the option to send reports via email to an network administrator when a pairing added or changed.<\/p>\n<p>This tool is specially useful for <strong>Network administrators<\/strong> to keep a watch on <strong>ARP activity<\/strong> to detect <strong>ARP spoofing<\/strong> or unexpected <strong>IP\/MAC<\/strong> addresses modifications.<\/p>\n<p>By default, <strong>Arpwatch<\/strong> tool is not installed on any Linux distributions. We must install it manually using \u2018<strong>yum<\/strong>\u2018 command on <strong>RHEL<\/strong>, <strong>CentOS<\/strong>, <strong>Fedora<\/strong> and \u2018<strong>apt-get<\/strong>\u2018 on <strong>Ubuntu<\/strong>, <strong><span id=\"IL_AD4\" class=\"IL_AD\">Linux Mint<\/span><\/strong> and <strong>Debian<\/strong>.<\/p>\n<pre># yum install arpwatch<\/pre>\n<p>Let\u2019s focus on the some most important arpwatch files, the location of the files are slightly differ based on your operating system.<\/p>\n<ol>\n<li><strong>\/etc\/rc.d\/init.d\/arpwatch<\/strong> : The arpwatch service for start or stop daemon.<\/li>\n<li><strong>\/etc\/sysconfig\/arpwatch<\/strong> : This is main configuration file\u2026<\/li>\n<li><strong>\/usr\/sbin\/arpwatch<\/strong> : Binary command to starting and stopping tool via the terminal.<\/li>\n<li><strong>\/var\/arpwatch\/arp.dat<\/strong> : This is the main database file where IP\/MAC addresses are recorded.<\/li>\n<li><strong>\/var\/log\/messages<\/strong> : The log file, where arpwatch writes any changes or unusual activity to IP\/MAC.<\/li>\n<\/ol>\n<p>Type the following command to start the arpwatch service.<\/p>\n<pre># chkconfig --level 35 arpwatch on\r\n# \/etc\/init.d\/arpwatch start<\/pre>\n<p><strong>Arpwatch Commands and Usage<\/strong><\/p>\n<p>To watch a specific interface, type the following command with \u2018<strong>-i<\/strong>\u2018 and device name.<\/p>\n<pre># arpwatch -i eth0<\/pre>\n<p>So, whenever a new MAC is plugged or a particular IP is changing his MAC address on the network, you will notice syslog entries at \u2018<strong>\/var\/log\/syslog<\/strong>\u2018 or \u2018<strong>\/var\/log\/message<\/strong>\u2018 file.<\/p>\n<pre># tail -f \/var\/log\/messages<\/pre>\n<p>You can also check current <strong>ARP<\/strong> table, by using following command.<\/p>\n<pre># arp -a<\/pre>\n<p>If you want to send alerts to your custom email id, then open the main configuration file \u2018<strong>\/etc\/sysconfig\/arpwatch<\/strong>\u2018 and add the email as shown below.<\/p>\n<pre># -u &lt;username&gt; : defines with what user id arpwatch should run\r\n# -e &lt;email&gt;    : the &lt;email&gt; where to send the reports\r\n# -s &lt;from&gt;     : the &lt;from&gt;-address\r\nOPTIONS=\"-u arpwatch -e email<strong>@domain.xxx<\/strong> -s 'root (Arpwatch)'\"<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>WARNING : BE CAREFUL USING ARPWATCH, IT MAY CAUSE IP CONFLIC! Arpwatch is an open source computer software program that helps you to monitor Ethernet traffic activity (like Changing IP and MAC Addresses) on your network and maintains a database of ethernet\/ip address pairings. It produces a log of noticed pairing of IP and MAC &hellip; <a href=\"https:\/\/easy-admin.ca\/index.php\/2016\/05\/16\/arpwatch-tool-to-monitor-ethernet-activity-in-linux\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">Arpwatch Tool to Monitor Ethernet Activity in Linux<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-502","post","type-post","status-publish","format-standard","hentry","category-general"],"_links":{"self":[{"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/posts\/502","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/comments?post=502"}],"version-history":[{"count":0,"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/posts\/502\/revisions"}],"wp:attachment":[{"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/media?parent=502"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/categories?post=502"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/tags?post=502"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}