[2024-feb-29] Sad news: Eric Layton aka Nocturnal Slacker aka vtel57 passed away on Feb 26th, shortly after hospitalization. He was one of our Wiki's most prominent admins. He will be missed.

Welcome to the Slackware Documentation Project

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
Next revisionBoth sides next revision
howtos:software:arpwatch [2018/04/11 02:40 (UTC)] – [Update MAC Address Database] mralk3howtos:software:arpwatch [2018/04/11 03:09 (UTC)] – [Arpwatch] mralk3
Line 1: Line 1:
 <!-- Add your text below. We strongly advise to start with a Headline (see button bar above). --> <!-- Add your text below. We strongly advise to start with a Headline (see button bar above). -->
-====== Arpwatch ======+====== Network Monitoring with Arpwatch ======
  
 Arpwatch allows a system to track [[https://en.wikipedia.org/wiki/IP_address|IP]] address pairings.  It maps the [[https://en.wikipedia.org/wiki/MAC_address|MAC Addresses]] on a network by tracking [[https://en.wikipedia.org/wiki/Address_Resolution_Protocol|ARP]] requests to each device on the [[https://en.wikipedia.org/wiki/LAN|LAN]] and recording the response in a database.  All network cards are manufactured with a unique MAC address and this allows Arpwatch to identify each device.  The main purpose of mapping a network like this is so the system administrator can keep track of the devices on a network and identify when there are networking issues.  Arpwatch is commonly used to identify when an [[https://en.wikipedia.org/wiki/ARP_spoofing|ARP Man in the Middle attack]] is being conducted by notifying the system administrator when a duplicate MAC address is being used on the network.  Arpwatch is most commonly ran on routers, but it can also useful on a managed network switch. Arpwatch allows a system to track [[https://en.wikipedia.org/wiki/IP_address|IP]] address pairings.  It maps the [[https://en.wikipedia.org/wiki/MAC_address|MAC Addresses]] on a network by tracking [[https://en.wikipedia.org/wiki/Address_Resolution_Protocol|ARP]] requests to each device on the [[https://en.wikipedia.org/wiki/LAN|LAN]] and recording the response in a database.  All network cards are manufactured with a unique MAC address and this allows Arpwatch to identify each device.  The main purpose of mapping a network like this is so the system administrator can keep track of the devices on a network and identify when there are networking issues.  Arpwatch is commonly used to identify when an [[https://en.wikipedia.org/wiki/ARP_spoofing|ARP Man in the Middle attack]] is being conducted by notifying the system administrator when a duplicate MAC address is being used on the network.  Arpwatch is most commonly ran on routers, but it can also useful on a managed network switch.
Line 37: Line 37:
  
 ===== Start and Stop at Boot ===== ===== Start and Stop at Boot =====
-The file **/etc/rc.d/rc.arpwatch** controls start up and shut down of Arpwatch.  In order to use this script you need to add a few lines to **/etc/rc.d/rc.local** and **/etc/rc.d/rc.local_shutdown** on your system.  Be sure to use the appropriate order if you have any other network services starting or stopping in these scripts.  As an example, you should start Arpwatch before you bring up hostapd if you are running a [[howtos:network_services:configuring_a_wireless_access_point|Wireless Access Point]], and shutdown Arpwatch after hostapd exits.  Using such ordering assures that Arpwatch identifies all ARP requests on your network.+The file **/etc/rc.d/rc.arpwatch** controls start up and shut down of Arpwatch.  In order to use this script you need to add a few lines to **/etc/rc.d/rc.local** and **/etc/rc.d/rc.local_shutdown**.  Be sure to use the appropriate order if you have any other network services starting or stopping in these scripts.  As an example, you should start Arpwatch before you bring up hostapd if you are running a [[howtos:network_services:configuring_a_wireless_access_point|Wireless Access Point]], and shutdown Arpwatch after hostapd exits.  Using such ordering assures that Arpwatch identifies all ARP requests on your network.
  
-Continuing with the above examplelets assume you are running a wireless access point. Add this to ///etc/rc.d/rc.local//+Continuing with the above example lets assume you are running a wireless access point.  Add this to **/etc/rc.d/rc.local**
 <code> <code>
 if [ -x /etc/rc.d/rc.arpwatch ]; then if [ -x /etc/rc.d/rc.arpwatch ]; then
Line 46: Line 46:
 </code> </code>
  
-If you wish to run Arpwatch on multiple network cards edit ///etc/rc.d/rc.local// like this:+If you wish to run Arpwatch on multiple network cards adjust **/etc/rc.d/rc.local** like this:
 <code> <code>
 # Change eth0 and wlan0 to match your configuration # Change eth0 and wlan0 to match your configuration
Line 55: Line 55:
 </code> </code>
  
-It's important that Arpwatch is stopped cleanly when your system is shutdown or rebooted.  If you haven't already done so, create ///etc/rc.d/rc.local_shutdown// as root:+It's important that Arpwatch is stopped cleanly when your system is shutdown or rebooted.  If you haven't already done so, create **/etc/rc.d/rc.local_shutdown** as root:
 <code> <code>
 touch /etc/rc.d/rc.local_shutdown touch /etc/rc.d/rc.local_shutdown
Line 68: Line 68:
  
 Finally, mark **rc.local** and **rc.local_shutdown** as //executable// This tells Slackware to automatically execute these scripts during the boot process. Finally, mark **rc.local** and **rc.local_shutdown** as //executable// This tells Slackware to automatically execute these scripts during the boot process.
- 
 <code> <code>
 chmod +x /etc/rc.d/rc.local chmod +x /etc/rc.d/rc.local
Line 75: Line 74:
  
 ===== Wrap Up ===== ===== Wrap Up =====
-Assuming all steps were followedyou should have receive an E-mail for each device Arpwatch discovers on your network.  If you opted to use the **root** user for notifications, you can view them by using the **mail** command as root user.+Assuming all steps were followed you should have received an email for each device Arpwatch discovered on your network.  If you opted to use the **root** user for notifications, you can view them by using the **mail** command as root user.
  
 <code> <code>
Line 85: Line 84:
             hostname: <unknown>             hostname: <unknown>
           ip address: 192.168.151.170           ip address: 192.168.151.170
-    ethernet address: b8:27:eb:31:be:89+    ethernet address: XX:XX:XX:XX:XX:XX
     ethernet address: XX:XX:XX:XX:XX:XX     ethernet address: XX:XX:XX:XX:XX:XX
      ethernet vendor: <unknown>      ethernet vendor: <unknown>
Line 103: Line 102:
 <!-- Please do not modify anything below, except adding new tags.--> <!-- Please do not modify anything below, except adding new tags.-->
 <!-- You must remove the tag-word "template" below before saving your new page --> <!-- You must remove the tag-word "template" below before saving your new page -->
-{{tag>howtos template}}+{{tag>howtos network monitoring arpwatch}}
 howtos:software:arpwatch ()