For computers to communicate with each other over a network, they need to be able to know how to convert a IP address, into the physical address of the network card (MAC address). If your computer doesn’t have the MAC address for the specific host you are trying to communicate with, your computer will send out a broadcast ARP request, to find out who owns the IP you are trying to contact.
These ARP requests are broadcast out over a LAN, and are limited by the broadcast domain (generally broadcast over all ports on a switch, but not through a router).
By monitoring these ARP broadcasts, you can identify new computers that are connected to the network.
Arpwatch is a tool that does just that. It monitors the network, keeps track of MAC addresses, and if there are any new ones detected on the network, it can email you.
This is a great tool if you want to ensure there are no rouge computers, or wireless access points connected to your network.
This guide will focus on installing/setup on a Ubuntu system. Other distributions also will be similar.
Install arpwatch:
$ sudo apt-get -y install arpwatch
If using ubuntu, you will need to modify the /etc/arpwatch.conf file to specify which device the listen on, and which account to email.
$ sudo nano /etc/arpwatch.conf
Example arpwatch.conf file set to listen on eth0, and email root:
# /etc/arpwatch.conf: Debian-specific way to watch multiple interfaces. # Format of this configuration file is: # ## #... # # # You can set global options for all interfaces by editing # /etc/default/arpwatch # For example: eth0 -m root #eth1 -m root #eth2 -m root # or, if you have an MTA configured for plussed addressing: # #eth0 -m root+eth0 #eth1 -m root+eth1 #eth2 -m root+eth2
After changing this file, restart arpwatch using:
$ sudo /etc/init.d/arpwatch restart
If you have arpwatch installed on a non Ubuntu/Debian based distribution, you can run arpwatch using the following command:
arpwatch -i eth0 -m root
Example email content from arpwatch:
hostname: ubuntu
ip address: 192.168.0.5
interface: eth0
ethernet address: 00:24:1d:76:e4:1d
ethernet vendor: GIGA-BYTE TECHNOLOGY CO.,LTD.
timestamp: Saturday, April 14, 2012 18:13:29 +1030
and
hostname: <unknown>
ip address: 192.168.0.254
interface: eth0
ethernet address: 00:13:10:41:d9:b3
ethernet vendor: Cisco-Linksys, LLC
timestamp: Saturday, April 14, 2012 18:14:11 +1030
As you can see above, it records the hostname (if applicable), the IP address, which interface it was detected on, the hardware/MAC address, what vendor owns that specific hardware/MAC address, and the timestamp of when it was detected.
New arp addresses will also be logged to /var/log/syslog.
For more information, check the arpwatch man page by running ‘man arpwatch’.
