arpwatch is a software or program tool for monitoring Address Resolution Protocol traffic on a computer network. It generates a log of observed pairing of IP addresses with MAC addresses along with a timestamp when the pairing appeared on the network. It also has the option of sending an email to an administrator when a pairing changes or is added.

Its main goal is to detect arp poisoning attacks like (e.g. ARP Poisoning, Ettercap, and Netcut) also detect intruders in your network by sending an email to an administrator when new Ethernet MAC addresses seen on the network.

Preview

Arpwatch's email report

Pre-requisites

  1. ssmtp – required for sending email

Install Arpwatch

In order for the Raspberry Pi to act as arp poisoning detection, you need to install packages on the Raspberry. You are going to need the following packages

  • Arpwatch
    Arpwatch maintains a database of Ethernet MAC addresses seen on the network, with their associated IP pairs. Alerts the system administrator via e-mail if any change happens, such as new station/activity, flip-flops, changed and re-used old addresses.

To install the arpwatch packages run following command:

If there are no error at installation you can continue to the next step

Configure Arpwatch

To configure arpwatch you need to edit the configuration at /etc/arpwatch.conf

On nano edit’s interface at arpwatch.conf file then edit the arpwatch configuration

The configuration

Arpwatch configuration version 2.1a15-1.2

Then add the interface you want to monitor to below of the configuration file (e.g. eth0, wlan0)

Testing

To test if Arpwatch sending an email report properly:

– On Terminal

Run following commands on terminal

The command will show

  • Aug 23 06:27:12 raspberrypi sSMTP[7102]: Sent mail for arpwatch@destination.address@gmail.com (221 2.0.0 closing connection fp2sm45473429pdb.0 – gsmtp) uid=111 username=arpwatch outbytes=839
  • Aug 23 11:25:42 raspberrypi sSMTP[10156]: Sent mail for arpwatch@destination.address@gmail.com (221 2.0.0 closing connection dx7sm93648563pab.5 – gsmtp) uid=111 username=arpwatch outbytes=855

– On Email inbox

  1. Open your email inbox for your account at ssmtp configuration
  2. Check email messages From: arpwatch <username@domain.com>

References

  1. arpwatch – Wikipedia
  2. Image by SirMo76 / CC BY 2.0