Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision |
howtos:software:arpwatch [2018/04/11 02:45 (UTC)] – [Start and Stop at Boot] mralk3 | howtos:software:arpwatch [2018/11/15 00:34 (UTC)] – [Update MAC Address Database] fix url to mac database mralk3 |
---|
<!-- Add your text below. We strongly advise to start with a Headline (see button bar above). --> | <!-- Add your text below. We strongly advise to start with a Headline (see button bar above). --> |
====== Arpwatch ====== | ====== Network Monitoring with Arpwatch ====== |
| |
Arpwatch allows a system to track [[https://en.wikipedia.org/wiki/IP_address|IP]] address pairings. It maps the [[https://en.wikipedia.org/wiki/MAC_address|MAC Addresses]] on a network by tracking [[https://en.wikipedia.org/wiki/Address_Resolution_Protocol|ARP]] requests to each device on the [[https://en.wikipedia.org/wiki/LAN|LAN]] and recording the response in a database. All network cards are manufactured with a unique MAC address and this allows Arpwatch to identify each device. The main purpose of mapping a network like this is so the system administrator can keep track of the devices on a network and identify when there are networking issues. Arpwatch is commonly used to identify when an [[https://en.wikipedia.org/wiki/ARP_spoofing|ARP Man in the Middle attack]] is being conducted by notifying the system administrator when a duplicate MAC address is being used on the network. Arpwatch is most commonly ran on routers, but it can also useful on a managed network switch. | Arpwatch allows a system to track [[https://en.wikipedia.org/wiki/IP_address|IP]] address pairings. It maps the [[https://en.wikipedia.org/wiki/MAC_address|MAC Addresses]] on a network by tracking [[https://en.wikipedia.org/wiki/Address_Resolution_Protocol|ARP]] requests to each device on the [[https://en.wikipedia.org/wiki/LAN|LAN]] and recording the response in a database. All network cards are manufactured with a unique MAC address and this allows Arpwatch to identify each device. The main purpose of mapping a network like this is so the system administrator can keep track of the devices on a network and identify when there are networking issues. Arpwatch is commonly used to identify when an [[https://en.wikipedia.org/wiki/ARP_spoofing|ARP Man in the Middle attack]] is being conducted by notifying the system administrator when a duplicate MAC address is being used on the network. Arpwatch is most commonly ran on routers, but it can also useful on a managed network switch. |
su - | su - |
cd /var/lib/arpwatch | cd /var/lib/arpwatch |
wget http://standards.ieee.org/regauth/oui/oui.txt | wget http://standards-oui.ieee.org/oui.txt |
./massagevendor oui.txt > ethercodes.dat | ./massagevendor oui.txt > ethercodes.dat |
rm -f oui.txt | rm -f oui.txt |
| |
===== Wrap Up ===== | ===== Wrap Up ===== |
Assuming all steps were followed, you should have receive an E-mail for each device Arpwatch discovers on your network. If you opted to use the **root** user for notifications, you can view them by using the **mail** command as root user. | Assuming all steps were followed you should have received an email for each device Arpwatch discovered on your network. If you opted to use the **root** user for notifications, you can view them by using the **mail** command as root user. |
| |
<code> | <code> |
hostname: <unknown> | hostname: <unknown> |
ip address: 192.168.151.170 | ip address: 192.168.151.170 |
ethernet address: b8:27:eb:31:be:89 | ethernet address: XX:XX:XX:XX:XX:XX |
ethernet address: XX:XX:XX:XX:XX:XX | ethernet address: XX:XX:XX:XX:XX:XX |
ethernet vendor: <unknown> | ethernet vendor: <unknown> |
<!-- Please do not modify anything below, except adding new tags.--> | <!-- Please do not modify anything below, except adding new tags.--> |
<!-- You must remove the tag-word "template" below before saving your new page --> | <!-- You must remove the tag-word "template" below before saving your new page --> |
{{tag>howtos template}} | {{tag>howtos network monitoring arpwatch}} |