Arpwatch: Network Change Detection

TL;DR

Arpwatch monitors your network for changes in the ARP table, alerting you to potential issues like ARP spoofing or rogue devices. This guide shows how to install, configure and interpret its output.

1. What is Arpwatch?

Arpwatch passively listens on a network interface and records the MAC addresses associated with IP addresses in the ARP (Address Resolution Protocol) table. It then compares this information over time. If it detects changes – new MAC addresses for known IPs, or entirely new IP/MAC pairings – it logs these events. This is useful for detecting:

• ARP spoofing attacks
• New devices connecting to the network without authorisation
• IP address conflicts

2. Installation

Arpwatch is available in most Linux distribution repositories. Here’s how to install it on common systems:

1. Debian/Ubuntu:

   sudo apt update && sudo apt install arpwatch

2. CentOS/RHEL/Fedora:

   sudo yum install arpwatch

3. Arch Linux:

   sudo pacman -S arpwatch

3. Configuration

The main configuration file is usually located at /etc/arpwatch.conf. You’ll need to edit this to specify the network interface you want to monitor.

1. Edit the config file: Open /etc/arpwatch.conf with a text editor (e.g., sudo nano /etc/arpwatch.conf).
2. Set the interface: Find the line starting with interface and change it to your network interface name (e.g., eth0, wlan0). You can find your interfaces using

   ip addr show

   . For example:

   interface eth0

3. Optional: Email alerts: Arpwatch can send email alerts. Configure the emailto option with a valid email address.
   You might also need to configure an SMTP server if it’s not already set up on your system.
4. Optional: Log file location: The default log file is usually fine, but you can change it using the logfile option.

4. Starting Arpwatch

Start the arpwatch service:

sudo systemctl start arpwatch

Enable it to start automatically on boot:

sudo systemctl enable arpwatch

5. Checking the Logs

Arpwatch logs events to a file, typically /var/log/arpwatch.log. Use a text editor or command-line tool like tail to view the log:

sudo tail -f /var/log/arpwatch.log

6. Interpreting Log Output

Arpwatch logs entries when it detects changes in the ARP table. Here’s a typical entry:

14:32:58 arpwatch - new MAC address 00:11:22:33:44:55 for IP address 192.168.1.100 on eth0

• new MAC address: Indicates a change in the MAC address associated with an IP address.
• IP address: The IP address that has changed.
• interface: The network interface where the change was detected.

Repeated changes for the same IP address could indicate ARP spoofing or a device repeatedly disconnecting and reconnecting.

7. Further Investigation

• Identify the MAC address: Use tools like arp -a to see the current ARP table entries.
• Trace the IP address: Use traceroute or ping to determine where the IP address is located on the network.
• Check device logs: If you know which device has the new MAC address, check its logs for any errors or unusual activity.