More Security: Arpwatch

« Beefing up Wi-Fi security
WG511 (Prism54/PrismGT) on Linux (Fedora Core 3) »

Original date: January 16, 2005 11:54 PM by sonnik

Continuing on my Wi-Fi security post from the other day, I've installed Arpwatch from LBNL, which seems to be an overlooked tool for network security.

Brought to you by the same people who brought you great tools like traceroute and libpcap, arpwatch monitors the pairing of IP Addresses to MAC Addresses. This may help reveal careless network intruders.

To install arpwatch, you'll need to make sure that "libpcap" is installed. If it isn't, you can get it as a RPM for Fedora Core 3, or download as a tarball also from LNBL.

After uncompressing the tarball, you'll compile arpwatch with the typical...

./configure
make
make install

commands. Before running, you'll need to..

touch /usr/local/arpwatch/arp.dat

And then, to run arpwatch, you'll need to reference the path to that file, for example...

arpwatch -f /usr/local/arpwatch/arp.dat

The program will then run, and by default email the root account and append syslog (messages) with any changes to IP Address/MAC Address pairings. Arpwatch seems to be short on documentation, so browse Google for Arpwatch MANPAGE. You'll see the options for emailing changes, and an explanation of the messages that may appear.