Detect Arp Spoofing with Ruby

TL;DR

This guide shows you how to detect ARP spoofing attacks on your network using a simple Ruby script. We’ll monitor the MAC address table and alert you if any changes occur, which could indicate someone is trying to intercept network traffic.

What You’ll Need

• A Linux machine (e.g., Ubuntu, Debian) – this is where we’ll run the script.
• Ruby installed. Check with

  ruby -v

  . If not installed, use your distribution’s package manager (e.g., sudo apt install ruby on Debian/Ubuntu).

• Root access (or sudo privileges) to run commands that read network information.

Step-by-Step Guide

1. Install the necessary Ruby gem: We’ll use the ‘packet_fu’ gem to easily parse ARP packets.

   gem install packet_fu

2. Create the Ruby script (arp_monitor.rb): Open a text editor and paste in the following code:

   require 'packet_fu'
   
   # Interface to monitor (e.g., eth0, wlan0)
   INTERFACE = 'eth0' # Change this if needed!
   
   # Store initial MAC address table
   initial_macs = {}
   
   # Function to get the current ARP table
   def get_arp_table
     arp_data = `arp -an | awk '{print $4, $1}'`
     arp_table = {}
     arp_data.each_line do |line|
       mac, ip = line.split
       arp_table[ip] = mac if mac && ip
     end
     return arp_table
   end
   
   # Get the initial ARP table
   pkg = PacketFu::Packet.create(:iface => INTERFACE)
   initial_macs = get_arp_table
   
   puts "Monitoring interface: #{INTERFACE}"
   puts "Initial MAC address table:"
   initial_macs.each { |ip, mac| puts "  #{ip}: #{mac}" }
   
   # Main loop to monitor for changes
   pkg.loop do
     current_macs = get_arp_table
   
     # Check for new entries or changed MAC addresses
     current_macs.each do |ip, mac|
       if !initial_macs[ip]
         puts "New entry detected: #{ip}: #{mac}"
       elsif initial_macs[ip] != mac
         puts "ARP spoofing detected for #{ip}! MAC address changed from #{initial_macs[ip]} to #{mac}"
       end
     end
   
     # Check for removed entries
     initial_macs.each do |ip, mac|
       if !current_macs[ip]
         puts "Entry removed: #{ip}: #{mac}"
       end
     end
   
     initial_macs = current_macs # Update initial table for next iteration
     sleep 5 # Check every 5 seconds
   end

3. Make the script executable: This allows you to run it directly.

   chmod +x arp_monitor.rb

4. Run the script as root (or with sudo): You need elevated privileges to access network information.

   sudo ./arp_monitor.rb

5. Interpret the output: The script will print messages if it detects:
   • New entry detected: A new IP address and MAC address pair has appeared on your network. This isn’t necessarily malicious, but worth investigating.
   • ARP spoofing detected for [IP]! MAC address changed from [old MAC] to [new MAC]: This is a strong indicator of ARP spoofing. Someone is likely trying to intercept traffic destined for that IP address.
   • Entry removed: An IP/MAC pair has disappeared.
6. Important Considerations:
   • Interface Name: Make sure the INTERFACE variable in the script is set to the correct network interface on your machine (e.g., eth0, wlan0). Use ifconfig or ip addr show to find it.
   • False Positives: Dynamic IP addresses and legitimate network changes can cause false positives. Consider the context of your network when interpreting the output.
   • Security Best Practice: This script is a basic detection tool. For robust cyber security, use it in conjunction with other security measures like static ARP entries, port security on switches, and intrusion detection systems.