ArpWatch is an opensource tool that monitors ethernet or FDDI network activity in the network and maintains a database of IP Address to MAC address mappings. Arpwatch notify via email if there is a change. Arpwacth is most commonly used to detect ARP Spoofing security issues in the network. Arpwatch can run on most of the Linux distributions,UNIX and Sun Solaris.
Arpwatch uses libpcap, a system-independent interface for user-level packet capture and should be installed before installing arpwatch. Arpwtch relies on the resolver library (/etc/resolv.conf) for hostname resolutions. It is important that Arpwatch is installed is installed in the same directory of lipcap.
Arpsnmp is a part of the package which very much similar to arpwatch but it is not dependent on libcap and uses snmp to collect the ip to MAC address mappings. Arpsnmp uses a script called arpfetcher to perform snmpwalks and collect data. The script can get the MAC address table data from cisco switches. All it needs is the IP address and the community name for the switch.
Installing Arpwatch requires
libcap prevously installed
ANSI C compiler (GNU compiler is fine)
Once, libcap is installed edit the makefile.in file and modify the BINDEST and MANDEST paths to that of libcap. This will ensure that arpwatch is installed in the same directory as libpcap. However, if you install only arpsnmp and libpcap is not required.
Run the configure script.
# ./configure
Once the config file runs without any error,
Run the make scripts to install Arpwatch
# make
If you need to install only arpsnmp then simply run
# make arpsnmp
This creates a new arp.dat file (if there isn't one already). Because a new file is created, there will be a host of notification emails flying on a busy subnet. Hence, for the first time start with -d switch to avoid these emails.
If you are using Arpsnmp then there is a script called bihourly.sh which can be used as a cronjob. This needs you to create a file with hostnames and community name.
Another useful script is arp2ethers which can conver a arp.dat file to ethers format.
Arpwatch (includes arpsnmp) can be downloaded from here
libcap can be downloaded here. However, can be built with the package managers on most of the linux distributions and in sun solaris (sunfreeware has a pre-compiled package).
loooooooooooooooooooooooooooooooooooooooool
Where are the rest?
Address Resolution Protocol (ARP), because of its simpleness, fastness, and effectiveness, is becoming increasingly popular among internet raggers, thus causing severe influence to the internet environment.
ARP spoofing, also known as ARP poisoning or ARP Poison Routing (APR), is a technique used to attack an Ethernet wired or wireless network which may allow an attacker to sniff data frames on a local area network (LAN), modify the traffic, or stop the traffic altogether (known as a denial of service attack). The attack can obviously only happen on networks that indeed make use of ARP and not another method.
First, let me introduce you the tools I use are Ax3soft Sax2, there are many such tools, such as Sniffer, Snort, Ethereal, etc, I do not think that the Sax2 is the best tool, I just think that Sax2 is easy-to-use, it can quickly and accurately locate ARP source when ARP attack happens to the network, so as to ensure normal and reliable network operation.
Solution:
First, launch sax2 and switch to the Diagnosis View.
Diagnosis View is the most direct and effective place to locate ARP attack and should be our first choice. Its interface is displayed as picture1.
[img]http://www.ids-sax2.com/articles/images/QuickLocateARPAttackSource.gif[/img] (picture1)
Picture 1 definitely points out that there are two kinds of ARP attack event, ARP Scan and ARP MAC address changed, in the network, and the attack source is clearly given at the bottom. Meanwhile, Sax2 NIDS will provide reasons of such ARP attacks and corresponding solutions.