arpwatch is a program that will help you watch changing IP Addresses and MAC Addresses on your network. It will list the list the information with a timestamp so you can carefully watch the activity.
Use arpwatch to Prevent ARP Spoofing
ARP Spoofing or Address Resolution Protocol Spoofing is used to create a situation on a network where the attacker is able to sniff data frames and/or modify the data by sending spoofed ARP messages on a network. The attacker will associate their MAC address with the IP Address of a different computer on the network. By employing arpwatch in the background it is constantly monitoring your network for IP/MAC changes. You will have a log you can view at /var/lib/arpwatch and you can also have arpwatch send you an email to warn you when changes occur.
When you want to see arpwatch in action use the “-d” option which is the debugging option and does not allow it to fork into the background or send an email message of activity it just sends output to the stderr so you can view on a terminal.
eth0 -a -n 192.168.1.0/24 -m your_email@your_address.com
# /etc/init.d/arpwatch restart
Starting Ethernet/FDDI station monitor daemon: (creating /var/lib/arpwatch/eth0.dat) (chown arpwatch /var/lib/arpwatch/eth0.dat) arpwatch-eth0.
Check to See it is running
# ps -ef | grep aprwatch
root 4013 3998 0 03:20 pts/1 00:00:00 grep aprwatch
Jun 9 02:58:58 m67 arpwatch: listening on eth0
Jun 9 02:58:58 m67 kernel: [ 935.587402] device eth0 entered promiscuous mode
arp.dat arp.dat- eth0.dat eth0.dat-
# cat /var/lib/arpwatch/arp.dat
0:1b:fc:68:68:33 192.168.1.100 1244559595
0:14:bf:7f:59:b0 192.168.1.222 1244559595
0:1:e6:b1:5c:1d 192.168.1.11 1244538519
0:1b:fc:90:e6:ac 192.168.1.8 1244558719
0:11:95:69:2e:f8 192.168.1.101 1244557051
# cat /var/lib/arpwatch/eth0.dat
0:1b:fc:68:68:33 192.168.1.100 1244545832 m67 eth0
0:14:bf:7f:59:b0 192.168.1.222 1244545832 eth0
0:1b:fc:90:e6:ac 192.168.1.8 1244545954 ub3 eth0
-f set file name for database
-i override the default network interface
-n local networks only
-N disable reporting bogons,
-r specify a saved file to read from
-m email address where info will be sent