| Revisión previaPróxima revisión |
| — | es:howtos:software:arpwatch [2019/08/23 13:10 (UTC)] – [Network Monitoring with Arpwatch] slackwarespanol |
|---|
| | <!-- Add your text below. We strongly advise to start with a Headline (see button bar above). --> |
| | ====== Monitoreo de red con Arpwatch ====== |
| |
| | Arpwatch permite que un sistema rastree [[https://en.wikipedia.org/wiki/IP_address|IP]] pares de direcciones. Mapea las [[https://en.wikipedia.org/wiki/MAC_address|MAC Addresses]] en una red al rastrear [[https://en.wikipedia.org/wiki/Address_Resolution_Protocol|ARP]] a cada una dispositivo en [[https://en.wikipedia.org/wiki/LAN|LAN]] y registra la respuesta en una base de datos. Todas las tarjetas de red se fabrican con una dirección MAC única y esto permite que Arpwatch identifique cada dispositivo. El objetivo principal de mapear una red como esta es para que el administrador del sistema pueda realizar un seguimiento de los dispositivos en una red e identificar cuándo hay problemas de red. Arpwatch se usa comúnmente para identificar cuándo se está llevando a cabo un [[https://en.wikipedia.org/wiki/ARP_spoofing|ARP Man in the Middle attack]] notificando al administrador del sistema cuando se usa una dirección MAC duplicada en el red. Arpwatch se ejecuta más comúnmente en enrutadores, pero también puede ser útil en un conmutador de red administrado. |
| | ===== Install ===== |
| | Arpwatch is not apart of the standard Slackware Linux distribution. It can be obtained by downloading the [[https://slackbuilds.org/result/?search=arpwatch&sv=|SlackBuild from SlackBuilds.org]] for your desired Slackware release. SlackBuilds.org has a great [[https://slackbuilds.org/howto/|HOWTO]] discussing how to install a SlackBuild. The [[https://slackbuilds.org/faq/|SlackBuilds.org FAQ]] is also very helpful for Slackware users struggling to install a SlackBuild. |
| | |
| | ===== Configuration ===== |
| | The included start up script allows the administrator to configure Arpwatch for one or more network cards. The start up script is also where the administrator can configure the run time settings for Arpwatch. Open up **/etc/rc.d/rc.arpwatch** on your system and edit the **OPTIONS** variable to your satisfaction. By default the **root** account gets all Arpwatch emails. Let's try changing the email account Arpwatch will use for email notifications. Make sure you use a user account or an email address that exists or Arpwatch will not send notifications to you. |
| | |
| | The line you are looking for is: |
| | <code> |
| | OPTIONS="-i $IFACE -f $ARPDIR/arp-$IFACE.dat -u root -e root -s root" |
| | </code> |
| | |
| | The Arpwatch man page indicates that the **-e** switch manages the email account. Let us change it to the user **darkstar**. |
| | <code> |
| | OPTIONS="-i $IFACE -f $ARPDIR/arp-$IFACE.dat -u root -e darkstar -s root" |
| | </code> |
| | |
| | Or we can use a remote email address if **sendmail** is configured to do so: |
| | <code> |
| | OPTIONS="-i $IFACE -f $ARPDIR/arp-$IFACE.dat -u root -e user@randomdomain.com -s root" |
| | </code> |
| | ===== Update MAC Address Database ===== |
| | The README.ethercodes installed with the Arpwatch SlackBuild indicates that the MAC Address database that comes with the source tarball can be outdated. This database is only updated when there is a new release of Arpwatch, which has not happened in quite a while. |
| | |
| | //These steps are covered in greater detail if you read /usr/doc/arpwatch-$VERSION/README.ethercodes// |
| | <code> |
| | su - |
| | cd /var/lib/arpwatch |
| | wget http://standards-oui.ieee.org/oui.txt |
| | ./massagevendor oui.txt > ethercodes.dat |
| | rm -f oui.txt |
| | </code> |
| | |
| | ===== Start and Stop at Boot ===== |
| | The file **/etc/rc.d/rc.arpwatch** controls start up and shut down of Arpwatch. In order to use this script you need to add a few lines to **/etc/rc.d/rc.local** and **/etc/rc.d/rc.local_shutdown**. Be sure to use the appropriate order if you have any other network services starting or stopping in these scripts. As an example, you should start Arpwatch before you bring up hostapd if you are running a [[howtos:network_services:configuring_a_wireless_access_point|Wireless Access Point]], and shutdown Arpwatch after hostapd exits. Using such ordering assures that Arpwatch identifies all ARP requests on your network. |
| | |
| | Continuing with the above example lets assume you are running a wireless access point. Add this to **/etc/rc.d/rc.local** |
| | <code> |
| | if [ -x /etc/rc.d/rc.arpwatch ]; then |
| | /etc/rc.d/rc.arpwatch start wlan0 |
| | fi |
| | </code> |
| | |
| | If you wish to run Arpwatch on multiple network cards adjust **/etc/rc.d/rc.local** like this: |
| | <code> |
| | # Change eth0 and wlan0 to match your configuration |
| | if [ -x /etc/rc.d/rc.arpwatch ]; then |
| | /etc/rc.d/rc.arpwatch start eth0 |
| | /etc/rc.d/rc.arpwatch start wlan0 |
| | fi |
| | </code> |
| | |
| | It's important that Arpwatch is stopped cleanly when your system is shutdown or rebooted. If you haven't already done so, create **/etc/rc.d/rc.local_shutdown** as root: |
| | <code> |
| | touch /etc/rc.d/rc.local_shutdown |
| | </code> |
| | |
| | Next you need to edit **rc.local_shutdown** like so: |
| | <code> |
| | if [ -x /etc/rc.d/rc.arpwatch ]; then |
| | /etc/rc.d/rc.arpwatch stop |
| | fi |
| | </code> |
| | |
| | Finally, mark **rc.local** and **rc.local_shutdown** as //executable//. This tells Slackware to automatically execute these scripts during the boot process. |
| | <code> |
| | chmod +x /etc/rc.d/rc.local |
| | chmod +x /etc/rc.d/rc.local_shutdown |
| | </code> |
| | |
| | ===== Wrap Up ===== |
| | Assuming all steps were followed you should have received an email for each device Arpwatch discovered on your network. If you opted to use the **root** user for notifications, you can view them by using the **mail** command as root user. |
| | |
| | <code> |
| | mail -f /var/spool/mail/root |
| | </code> |
| | |
| | Here is an example of what you may find in your inbox: |
| | <code> |
| | hostname: <unknown> |
| | ip address: 192.168.151.170 |
| | ethernet address: XX:XX:XX:XX:XX:XX |
| | ethernet address: XX:XX:XX:XX:XX:XX |
| | ethernet vendor: <unknown> |
| | timestamp: Monday, April 9, 2018 12:01:39 -0600 |
| | </code> |
| | |
| | ====== Sources ====== |
| | * [[https://ee.lbl.gov/|Arpwatch Home]] |
| | |
| | * Originally written by [[wiki:user:mralk3 | Brenton Earl]] |
| | <!-- If you are copying information from another source, then specify that source --> |
| | <!-- * Original source: [[http://some.website.org/some/page.html]] --> |
| | <!-- Authors are allowed to give credit to themselves! --> |
| | <!-- * Originally written by [[wiki:user:xxx | User X]] --> |
| | <!-- * Contributions by [[wiki:user:yyy | User Y]] --> |
| | |
| | <!-- Please do not modify anything below, except adding new tags.--> |
| | <!-- You must remove the tag-word "template" below before saving your new page --> |
| | {{tag>howtos network monitoring arpwatch user_mralk3}} |
