arpwatch is a software or program tool for monitoring Address Resolution Protocol traffic on a computer network. It generates a log of observed pairing of IP addresses with MAC addresses along with a timestamp when the pairing appeared on the network. It also has the option of sending an email to an administrator when a pairing changes or is added.

Its main goal is to detect arp poisoning attacks like (e.g. ARP Poisoning, Ettercap, and Netcut) also detect intruders in your network by sending an email to an administrator when new Ethernet MAC addreses seen on the network.

Preview

Arpwatch's email report

Requirements

OpenWrt’s minimum size requirements = (0.31 MB)

Pre-requiresties

  1. ssmtp – required for sending email

Known Issues

  1. Arpwatch can’t recognize mac address’s hostname and ethernet vendor
  2. arpwatch using a lot of resource of memory usage

Installation and Configuration

To install and configure Arpwatch run following steps on ssh:

Step 1: Install Arpwatch

Step 2: Run and Start Arpwatch automatically at boot

Testing

To test if Arpwatch sending email report properly:

–  On OpenWrt

The command will show

  • Aug 13 15:12:24 OpenWrt mail.info sSMTP[1613]: Sent mail for [email protected]@gmail.com (221 2.0.0 closing connection os4sm3481851pdb.67 – gsmtp) uid=0 sername=root outbytes=600
  • Aug 13 15:12:59 OpenWrt mail.info sSMTP[1614]: Sent mail for [email protected]@gmail.com (221 2.0.0 closing connection dd2sm3504325pdb.16 – gsmtp) uid=0 sername=root outbytes=785

–  On Email inbox

  1. Open your email inbox for your account at ssmtp configuration
  2. Check email messages From: arpwatch <[email protected]>

Troubleshooting

Follow instructions may help you to resolve common Arpwatch issues.

– Arpwatch is unable to send an alert email

If arpwatch unable to send an email it is probably arpwatch can’t found the sendmail file to resolve the issue copy sendmail to the correct directory

References

  1. arpwatch – Wikipedia
  2. Image by dariorug / CC BY 2.0