Arpwatch - monitor mac addresses change
Arpwatch
Arpwatch is an open source computer software program that helps you to monitor Ethernet traffic activity (like Changing IP and MAC Addresses) on your network and maintains a database of ethernet/ip address pairings. It produces a log of noticed pairing of IP and MAC addresses information along with a timestamps, so you can carefully watch when the pairing activity appeared on the network. It also has the option to send reports via email to an network administrator when a pairing added or changed.
This tool is specially useful for Network administrators to keep a watch on ARP activity to detect ARP spoofing or unexpected IP/MAC addresses modifications.
I've been using arpwatch for over 15 years, but on Linux with systemd, configuring and running this program is different than it was years ago. We will describe the configuration of arpwatch on debian with systemd.
Install arpwatch
~] apt-get install arpwatch
arpwatch configuration description
Arpwatch on systmed based linux systems does not support a configuration file, but the systemd unit files shipped with Debian allow to launch arpwatch with different configurations on each interface.
In order to do that, create a file called IFNAME.iface which contains variable assignments in sh syntax (comments are allowed). You can use the following variables to influence the invocation for that specific interface only:
- ARGS: overwrite the ARGS from /etc/default/arpwatch
- PCAP_FILTER: overwrite (or set) the pcap filter
- IFACE_ARGS: additional options to be passed to arpwatch
I have multiple ethernet interfaces on my debian server and I need run arpwatch on enp5s0 interface:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:11:25:22:08:d2 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.209/24 brd 192.168.0.255 scope global enp4s0
valid_lft forever preferred_lft forever
inet6 fe80::211:25ff:fe22:8d2/64 scope link
valid_lft forever preferred_lft forever
3: enp5s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:11:25:22:08:d3 brd ff:ff:ff:ff:ff:ff
inet 192.168.12.209/24 brd 192.168.12.255 scope global enp5s0
valid_lft forever preferred_lft forever
inet6 fe80::211:25ff:fe22:8d3/64 scope link
valid_lft forever preferred_lft forever
In addition, on the enp5s0 interfaces I need to monitor changes in mac addresses not only for the 192.168.12.0/24 local network, but also for networks 82.99.137.0/24, 84.244.68.0/24 and 212.158.133.0/24. Changes in mac addresses I need log to file and also mail to email arpwatch@mydomain.com.
Arpwatch configuration
Go to /etc/arpwatch directory and create file enp5s0.iface (IFNAME.iface) with this content:
INTERFACES="enp5s0"
ARGS="-N -p"
IFACE_ARGS="-m arpwatch@mydomain.com -n 82.99.137.0/24 -n 84.244.68.0/24 -n 212.158.133.0/24"
Here is man page for arpwatch: https://manpages.debian.org/unstable/arpwatch/arpwatch.8.en.html
-
The -m option is used to specify the e-mail address to which reports will be sent. By default, reports are sent to root on the local machine.
-
The -n flag specifies additional local networks. This can be useful to avoid bogon warnings when there is more than one network running on the same wire. If the optional width/mask is not specified, the default netmask for the network's class is used.
-
The -N flag disables reporting any bogons.
-
The -p flag disables promiscuous operation. ARP broadcasts get through hubs without having the interface in promiscuous mode , while saving considerable resources that would be wasted on processing gigabytes of non-broadcast traffic. Setting promiscuous mode does not mean getting 100% traffic that would concern arpwatch.
Bogon packet
Bogon is an informal term used to describe IP packets on the public Internet that claim to be from an area of the IP address space reserved, but not yet allocated or delegated by the Internet Assigned Numbers Authority (IANA ) or any of the Regional Internet Registries (RIR ). Private IP addresses are also considered bogons because they are not supposed to be found on the public Internet.Arpwatch and systemd
Now you can start your arpwatch on enp5s0 interface with systemctl start command:
~] systemctl daemon-reload
~] systemctl start arpwatch@enp5s0
You can check arpwatch daemon:
~] systemctl status arpwatch@enp5s0
* arpwatch@enp5s0.service - arpwatch service on interface enp5s0
Loaded: loaded (/lib/systemd/system/arpwatch@.service; disabled; vendor preset: enabled)
Active: active (running) since Fri 2021-07-16 11:55:49 CEST; 13min ago
Docs: man:arpwatch(8)
Main PID: 1250 (arpwatch)
Tasks: 1 (limit: 541)
Memory: 1.3M
CGroup: /system.slice/system-arpwatch.slice/arpwatch@enp5s0.service
`-1250 /usr/sbin/arpwatch -u arpwatch -i enp5s0 -f enp5s0.dat -N -p -m manak@sherlog.cz -n 82.99.137.0/24 -n 84.244.68.0/24 -n 212.158.133.0/24 -F
Jul 16 11:55:49 ns2-monitor systemd[1]: Starting arpwatch service on interface enp5s0...
Jul 16 11:55:49 ns2-monitor systemd[1]: Started arpwatch service on interface enp5s0.
Jul 16 11:55:49 ns2-monitor arpwatch[1250]: Running as uid=108 gid=116
Jul 16 11:55:49 ns2-monitor arpwatch[1250]: listening on enp5s0
Check that arpwatch run:
~] ps aux|grep arp
arpwatch 1250 0.0 1.0 9888 5000 ? S 11:55 0:00 /usr/sbin/arpwatch -u arpwatch -i enp5s0 -f enp5s0.dat -N -p -m arpwatch@mydomain.com -n 82.99.137.0/24 -n 84.244.68.0/24 -n 212.158.133.0/24 -F
arpwatch after reboot
You have to enable arpwatch@enp5s0 service unit to start after system reboot:
~] systemctl daemon-reload
~] systemctl enable arpwatch@enp5s0
Created symlink /etc/systemd/system/multi-user.target.wants/arpwatch@enp5s0.service -> /lib/systemd/system/arpwatch@.service.
arpwatch log file
Default log file for arpwatch daemon is /var/log/syslog file. But I like a separate log file for every linux daemon. You can configure rsyslog log daemon to log arpwatch messages to separate /var/log/arpwatch/arpwatch.log file.
Edit /etc/rsyslog.conf file and add this content to end of file:
if $programname == 'arpwatch' and $msg contains 'sent bad hardware format' then ~
if $programname == 'arpwatch' and $msg contains 'execl: /usr/lib/sendmail: No such file or directory' then ~
if $programname == 'arpwatch' and $msg contains 'reaper' then ~
if $programname == 'arpwatch' then /var/log/arpwatch/arpwatch.log
# Then I use the same redirect but with ~ as the action, causing the log line not to go into other filters
if $programname == 'arpwatch' then ~
Create /var/log/arpwatch directory and file arpwatch.log in this directory:
~] mkdir /var/log/arpwatch
~] touch /var/log/arpwatch/arpwatch.log
~] chmod 666 /var/log/arpwatch/arpwatch.log
And restart rsyslog daemon:
~] /etc/init.d/rsyslog restart
[ ok ] Restarting rsyslog (via systemctl): rsyslog.service.
And now you can see messages from working arpwatch daemon:
~] cat /var/log/arpwatch/arpwatch.log
Jul 15 14:31:21 ServerName arpwatch: Running as uid=108 gid=116
Jul 15 14:31:21 ServerName arpwatch: listening on enp5s0
Jul 15 14:34:25 ServerName arpwatch: new station 82.99.137.9 ec:13:db:a9:8c:81 enp5s0
Jul 15 14:34:25 ServerName arpwatch: new station 212.158.133.34 00:11:25:a9:4d:2b enp5s0
Jul 15 14:34:25 ServerName arpwatch: new station 212.158.133.10 ec:13:db:a9:8c:81 enp5s0
Jul 15 14:34:30 ServerName arpwatch: new station 212.158.133.7 00:11:25:a9:4d:2a enp5s0
Jul 15 14:34:30 ServerName arpwatch: new station 212.158.133.1 00:00:5e:00:01:15 enp5s0
Jul 15 14:34:30 ServerName arpwatch: new station 212.158.133.4 00:0a:14:80:86:15 enp5s0
Jul 15 14:34:53 ServerName arpwatch: new station 212.158.133.9 ec:13:db:a9:90:81 enp5s0
Jul 15 14:34:53 ServerName arpwatch: new station 212.158.133.5 00:23:04:63:00:dc enp5s0
Jul 15 14:34:53 ServerName arpwatch: new station 212.158.133.3 00:0a:14:80:8f:7d enp5s0
Jul 15 14:35:33 ServerName arpwatch: new station 82.99.137.15 00:80:a3:d3:02:3d enp5s0
Jul 15 14:42:03 ServerName arpwatch: new station 212.158.133.54 00:0c:29:cb:65:c4 enp5s0
Jul 15 14:45:14 ServerName arpwatch: new station 82.99.137.8 ec:13:db:a9:90:81 enp5s0
arpwatch mac addresses files
Default directory for arpwatch mac addresses
databes is /var/lib/arpwatch. File is in IFNAME.dat format. You can print databese content:
~] cat /var/lib/arpwatch/enp5s0.dat
ec:13:db:a9:8c:81 82.99.137.9 1626431148 enp5s0
00:80:a3:d3:02:3d 82.99.137.15 1626431091 enp5s0
ec:13:db:a9:90:81 82.99.137.8 1626430522 enp5s0
00:04:23:ad:5f:2e 82.99.137.7 1626427849 enp5s0
00:00:5e:00:01:16 82.99.137.1 1626428184 enp5s0
00:04:23:ad:5f:2e 82.99.137.2 1626428019 enp5s0
00:11:25:a9:4d:2b 212.158.133.34 1626431148 enp5s0
ec:13:db:a9:8c:81 212.158.133.10 1626431148 enp5s0
00:11:25:a9:4d:2a 212.158.133.7 1626428315 enp5s0
00:00:5e:00:01:15 212.158.133.1 1626428357 enp5s0
00:0a:14:80:86:15 212.158.133.4 1626428216 enp5s0
ec:13:db:a9:90:81 212.158.133.9 1626430988 enp5s0
00:23:04:63:00:dc 212.158.133.5 1626427431 enp5s0
00:0a:14:80:8f:7d 212.158.133.3 1626428357 enp5s0
00:0c:29:cb:65:c4 212.158.133.54 1626431138 enp5s0
00:23:04:63:00:dc 212.158.133.6 1626428125 enp5s0
00:04:23:c1:28:23 212.158.133.50 1626419378 enp5s0
arpwatch emails
When you have configured right way email server, mac addresses changes are mailed to your email address. Here is example of such email:
hostname: <unknown>
ip address: 212.158.133.39
interface: enp5s0
ethernet address: 00:04:23:c1:28:20
ethernet vendor: Intel Corporation
old ethernet address: 00:04:23:c1:28:21
old ethernet vendor: Intel Corporation
timestamp: Thursday, July 15, 2021 9:33:21 +0200
previous timestamp: Thursday, July 15, 2021 9:18:21 +0200
delta: 0 days
