Keep a pulse on the Address Resolution Protocol traffic

Today I will mention about arpwatch utility (developed by LBNL’s Network Research Group) as it is a small and very useful tool that will keep track of the Ethernet/IP address pairings and log every change which you can monitor and analyze.

Installation

I am using Debian so I will just execute apt-get to install arpwatch:

$ sudo apt-get install arpwatch

Configuration

Default application arguments are stored in /etc/default/arpwatch configuration file:

# Global options for arpwatch(8).
# Debian: don't report bogons, don't use PROMISC.
ARGS="-N -p"
# Debian: run as `arpwatch' user.  Empty this to run as root.
RUNAS="arpwatch"

As you see arpwatch is not reporting any bogons (see “Log messages” below) by default so you need to remove the -N parameter to disable this behavior.

Main configuration is stored in /etc/arpwatch.conf file:

# /etc/arpwatch.conf: Debian-specific way to watch multiple interfaces.
# Format of this configuration file is:
#
#<dev1> <arpwatch options for dev1>
#<dev2> <arpwatch options for dev2>
#...
#<devN> <arpwatch options for devN>
#
# You can set global options for all interfaces by editing
# /etc/default/arpwatch
# For example:
#eth0   -m root
#eth1   -m root
#eth2   -m root
# or, if you have an MTA configured for plussed addressing:
#
#eth0   -m root+eth0
#eth1   -m root+eth1
#eth2   -m root+eth2

Use this file to define list of interfaces and additional parameters.

Execution

Use /etc/init.d/arpwatch script to start or stop service.

Log messages

This IP address doesn’t belong to the local subnet:

Mar  2 16:21:38 dhcp arpwatch: bogon 192.168.0.110 0:30:13:a0:a:1d

This Ethernet/IP address pair has not been seen before:

Jul 1 18:11:15 dhcp arpwatch: new station 11.27.43.192 d4:2a:d1:61:6:84

This Ethernet/IP address pair has been used for the first time (six months period or more):

Jul 4 13:51:04 dhcp arpwatch: new activity 71.72.4.102 0:81:28:12:b3:d

Ethernet address has changed:

Jul 6 18:31:25 dhcp arpwatch: changed ethernet address 18.17.16.15 fc:55:43:31:7:14 (0:71:12:2f:5a:12)

Ethernet address has changed to the previous one:

Jul 27 17:27:19 dhcp arpwatch: flip flop 18.17.16.15 0:71:12:2f:5a:12 (fc:55:43:31:7:14)

Ethernet address has changed to the older one:

Jul 29 13:32:13 dhcp arpwatch: reused old ethernet address 18.17.16.14 0:34:52:31:a:1d (d4:b1:d4:16:69:68)

…

OpenBSD notes

In case you use different operating system like OpenBSD then you need to edit /etc/rc.local file and add arpwatch command with parameters to start it at boot.

#       $OpenBSD: rc.local,v 1.39 2006/07/28 20:19:46 sturm Exp $
# Site-specific startup actions, daemons, and other things which
# can be done AFTER your system goes into securemode.  For actions
# which should be done BEFORE your system has gone into securemode
# please see /etc/rc.securelevel.
echo -n 'starting local daemons:'
# Add your local startup actions here.
if [ -x /usr/local/sbin/arpwatch -a -d /var/arpwatch ]; then
  /usr/local/sbin/arpwatch -i fxp0 -n 10.0.1.0/24 -n 10.0.2.0/24
  echo -n ' arpwatch'
fi
echo '.'