Welcome to the Slackware Documentation Project

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
howtos:software:arpwatch [2018/04/11 01:16 (UTC)]
mralk3 created
howtos:software:arpwatch [2018/11/15 00:35 (UTC)]
mralk3 [Sources]
Line 1: Line 1:
 <!-- Add your text below. We strongly advise to start with a Headline (see button bar above). --> <!-- Add your text below. We strongly advise to start with a Headline (see button bar above). -->
-====== Arpwatch ======+====== ​Network Monitoring with Arpwatch ======
  
-Arpwatch allows a system to track [[https://​en.wikipedia.org/​wiki/​IP_address|IP]] address pairings. ​ It maps the [[https://​en.wikipedia.org/​wiki/​MAC_address|MAC Addresses]] on a network by making ​[[https://​en.wikipedia.org/​wiki/​Address_Resolution_Protocol|ARP]] requests to each device on the [[https://​en.wikipedia.org/​wiki/​LAN|LAN]] and recording the response in a database. ​ All network cards are manufactured with a unique MAC address and this allows Arpwatch to identify each device. ​ The main purpose of mapping a network like this is so the system administrator can keep track of the devices on a network and identify when there are networking issues. ​ Arpwatch is commonly used to identify when an [[https://​en.wikipedia.org/​wiki/​ARP_spoofing|ARP Man in the Middle attack]] is being conducted by notifying the system administrator when a duplicate MAC address is being used on the network. ​ Arpwatch is most commonly ran on routers, but it can also useful on a managed network switch.+Arpwatch allows a system to track [[https://​en.wikipedia.org/​wiki/​IP_address|IP]] address pairings. ​ It maps the [[https://​en.wikipedia.org/​wiki/​MAC_address|MAC Addresses]] on a network by tracking ​[[https://​en.wikipedia.org/​wiki/​Address_Resolution_Protocol|ARP]] requests to each device on the [[https://​en.wikipedia.org/​wiki/​LAN|LAN]] and recording the response in a database. ​ All network cards are manufactured with a unique MAC address and this allows Arpwatch to identify each device. ​ The main purpose of mapping a network like this is so the system administrator can keep track of the devices on a network and identify when there are networking issues. ​ Arpwatch is commonly used to identify when an [[https://​en.wikipedia.org/​wiki/​ARP_spoofing|ARP Man in the Middle attack]] is being conducted by notifying the system administrator when a duplicate MAC address is being used on the network. ​ Arpwatch is most commonly ran on routers, but it can also useful on a managed network switch.
  
 ===== Install ===== ===== Install =====
Line 8: Line 8:
  
 ===== Configuration ===== ===== Configuration =====
-The included start up script allows the administrator to configure Arpwatch for one or more network cards. ​ The start up script is also where the administrator can configure the run time settings for Arpwatch. ​ Open up **/​etc/​rc.d/​rc.arpwatch** on your system and edit the **OPTIONS** variable to your satisfaction. ​ By default the **root** account gets all Arpwatch ​E-mails.  Let'​s ​start by changing the e-mail ​account Arpwatch will use for e-mail ​notifications.  ​+The included start up script allows the administrator to configure Arpwatch for one or more network cards. ​ The start up script is also where the administrator can configure the run time settings for Arpwatch. ​ Open up **/​etc/​rc.d/​rc.arpwatch** on your system and edit the **OPTIONS** variable to your satisfaction. ​ By default the **root** account gets all Arpwatch ​emails.  Let'​s ​try changing the email account Arpwatch will use for email notifications.  ​Make sure you use a user account or an email address that exists or Arpwatch will not send notifications to you.
  
 The line you are looking for is: The line you are looking for is:
Line 15: Line 15:
 </​code>​ </​code>​
  
-The Arpwatch man page indicates that the **-e** switch ​managed ​the E-mail ​account. ​ Let us change it to the user **darkstar**.+The Arpwatch man page indicates that the **-e** switch ​manages ​the email account. ​ Let us change it to the user **darkstar**.
 <​code>​ <​code>​
 OPTIONS="​-i $IFACE -f $ARPDIR/​arp-$IFACE.dat -u root -e darkstar -s root" OPTIONS="​-i $IFACE -f $ARPDIR/​arp-$IFACE.dat -u root -e darkstar -s root"
 </​code>​ </​code>​
  
-**Make sure you use a user account or an email address ​that exists or Arpwatch will not send notifications ​to you Check the man page for more settings.** +Or we can use a remote ​email address ​if **sendmail** is configured ​to do so: 
 +<​code>​ 
 +OPTIONS="​-i $IFACE -f $ARPDIR/​arp-$IFACE.dat -u root -e user@randomdomain.com -s root" 
 +</​code>​
 ===== Update MAC Address Database ===== ===== Update MAC Address Database =====
-The README.ethercodes installed with Arpwatch SlackBuild indicates that the MAC Address database that comes with the source tarball can be outdated. ​ This database is only updated when there is a new release of Arpwatch, which has not happened in quite a while.+The README.ethercodes installed with the Arpwatch SlackBuild indicates that the MAC Address database that comes with the source tarball can be outdated. ​ This database is only updated when there is a new release of Arpwatch, which has not happened in quite a while.
  
 //These steps are covered in greater detail if you read /​usr/​doc/​arpwatch-$VERSION/​README.ethercodes//​ //These steps are covered in greater detail if you read /​usr/​doc/​arpwatch-$VERSION/​README.ethercodes//​
Line 29: Line 31:
 su - su -
 cd /​var/​lib/​arpwatch cd /​var/​lib/​arpwatch
-wget http://​standards.ieee.org/​regauth/​oui/oui.txt+wget http://​standards-oui.ieee.org/​oui.txt
 ./​massagevendor oui.txt > ethercodes.dat ./​massagevendor oui.txt > ethercodes.dat
 rm -f oui.txt rm -f oui.txt
Line 35: Line 37:
  
 ===== Start and Stop at Boot ===== ===== Start and Stop at Boot =====
-The file **/​etc/​rc.d/​rc.arpwatch** controls start up and shut down of Arpwatch. ​ In order to use this script you need to add a few lines to **/​etc/​rc.d/​rc.local** and **/​etc/​rc.d/​rc.local_shutdown** ​on your system.  Be sure to use the appropriate order if you have any other network services starting or stopping in these scripts. ​ As an example, you should start Arpwatch before you bring up hostapd if you are running a [[howtos:​network_services:​configuring_a_wireless_access_point|Wireless Access Point]], and shutdown Arpwatch after hostapd exits. ​ Using such ordering assures that Arpwatch identifies all ARP requests on your network.+The file **/​etc/​rc.d/​rc.arpwatch** controls start up and shut down of Arpwatch. ​ In order to use this script you need to add a few lines to **/​etc/​rc.d/​rc.local** and **/​etc/​rc.d/​rc.local_shutdown**. ​ Be sure to use the appropriate order if you have any other network services starting or stopping in these scripts. ​ As an example, you should start Arpwatch before you bring up hostapd if you are running a [[howtos:​network_services:​configuring_a_wireless_access_point|Wireless Access Point]], and shutdown Arpwatch after hostapd exits. ​ Using such ordering assures that Arpwatch identifies all ARP requests on your network.
  
-Continuing with the above examplelets assume you are running a wireless access point. Add this to ///​etc/​rc.d/​rc.local//+Continuing with the above example lets assume you are running a wireless access point. ​ Add this to **/​etc/​rc.d/​rc.local**
 <​code>​ <​code>​
 if [ -x /​etc/​rc.d/​rc.arpwatch ]; then if [ -x /​etc/​rc.d/​rc.arpwatch ]; then
Line 44: Line 46:
 </​code>​ </​code>​
  
-If you wish to run Arpwatch on multiple network cards edit ///​etc/​rc.d/​rc.local// like this:+If you wish to run Arpwatch on multiple network cards adjust **/​etc/​rc.d/​rc.local** like this:
 <​code>​ <​code>​
 # Change eth0 and wlan0 to match your configuration # Change eth0 and wlan0 to match your configuration
Line 53: Line 55:
 </​code>​ </​code>​
  
-It's important that Arpwatch is stopped cleanly when your system is shutdown or rebooted. ​ If you haven'​t already done so, create ​///​etc/​rc.d/​rc.local_shutdown// as root:+It's important that Arpwatch is stopped cleanly when your system is shutdown or rebooted. ​ If you haven'​t already done so, create ​**/​etc/​rc.d/​rc.local_shutdown** as root:
 <​code>​ <​code>​
 touch /​etc/​rc.d/​rc.local_shutdown touch /​etc/​rc.d/​rc.local_shutdown
Line 66: Line 68:
  
 Finally, mark **rc.local** and **rc.local_shutdown** as //​executable//​. ​ This tells Slackware to automatically execute these scripts during the boot process. Finally, mark **rc.local** and **rc.local_shutdown** as //​executable//​. ​ This tells Slackware to automatically execute these scripts during the boot process.
- 
 <​code>​ <​code>​
 chmod +x /​etc/​rc.d/​rc.local chmod +x /​etc/​rc.d/​rc.local
Line 73: Line 74:
  
 ===== Wrap Up ===== ===== Wrap Up =====
-Assuming all steps were followedyou should have receive ​an E-mail ​for each device Arpwatch ​discovers ​on your network. ​ If you opted to use the **root** user for notifications,​ you can view them by using the **mail** command as root user.+Assuming all steps were followed you should have received ​an email for each device Arpwatch ​discovered ​on your network. ​ If you opted to use the **root** user for notifications,​ you can view them by using the **mail** command as root user.
  
 <​code>​ <​code>​
Line 83: Line 84:
             hostname: <​unknown>​             hostname: <​unknown>​
           ip address: 192.168.151.170           ip address: 192.168.151.170
-    ethernet address: ​b8:27:eb:31:be:89+    ethernet address: ​XX:XX:XX:XX:XX:XX
     ethernet address: XX:​XX:​XX:​XX:​XX:​XX     ethernet address: XX:​XX:​XX:​XX:​XX:​XX
      ​ethernet vendor: <​unknown>​      ​ethernet vendor: <​unknown>​
Line 101: Line 102:
 <!-- Please do not modify anything below, except adding new tags.--> <!-- Please do not modify anything below, except adding new tags.-->
 <!-- You must remove the tag-word "​template"​ below before saving your new page --> <!-- You must remove the tag-word "​template"​ below before saving your new page -->
-{{tag>​howtos ​template}}+{{tag>​howtos ​network monitoring arpwatch user_mralk3}}

In Other Languages
QR Code
QR Code howtos:software:arpwatch (generated for current page)