Arpwatch - monitor mac addresses change

Arpwatch - monitor mac addresses change

Arpwatch

Arpwatch is an open source computer software program that helps you to monitor Ethernet traffic activity (like Changing IP and MAC Addresses) on your network and maintains a database of ethernet/ip address pairings. It produces a log of noticed pairing of IP and MAC addresses information along with a timestamps, so you can carefully watch when the pairing activity appeared on the network. It also has the option to send reports via email to an network administrator when a pairing added or changed.

This tool is specially useful for Network administrators to keep a watch on ARP activity to detect ARP spoofing or unexpected IP/MAC addresses modifications.

I've been using arpwatch for over 15 years, but on Linux with systemd, configuring and running this program is different than it was years ago. We will describe the configuration of arpwatch on debian with systemd.

Install arpwatch

~] apt-get install arpwatch

arpwatch configuration description

Arpwatch on systmed based linux systems does not support a configuration file, but the systemd unit files shipped with Debian allow to launch arpwatch with different configurations on each interface.

In order to do that, create a file called IFNAME.iface which contains variable assignments in sh syntax (comments are allowed). You can use the following variables to influence the invocation for that specific interface only:

  • ARGS: overwrite the ARGS from /etc/default/arpwatch
  • PCAP_FILTER: overwrite (or set) the pcap filter
  • IFACE_ARGS: additional options to be passed to arpwatch

I have multiple ethernet interfaces on my debian server and I need run arpwatch on enp5s0 interface:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:11:25:22:08:d2 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.209/24 brd 192.168.0.255 scope global enp4s0
       valid_lft forever preferred_lft forever
    inet6 fe80::211:25ff:fe22:8d2/64 scope link 
       valid_lft forever preferred_lft forever
3: enp5s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:11:25:22:08:d3 brd ff:ff:ff:ff:ff:ff
    inet 192.168.12.209/24 brd 192.168.12.255 scope global enp5s0
       valid_lft forever preferred_lft forever
    inet6 fe80::211:25ff:fe22:8d3/64 scope link 
       valid_lft forever preferred_lft forever

In addition, on the enp5s0 interfaces I need to monitor changes in mac addresses not only for the 192.168.12.0/24 local network, but also for networks 82.99.137.0/24, 84.244.68.0/24 and 212.158.133.0/24. Changes in mac addresses I need log to file and also mail to email arpwatch@mydomain.com.

Arpwatch configuration

Go to /etc/arpwatch directory and create file enp5s0.iface (IFNAME.iface) with this content:

/etc/arpwatch/enp5s0.iface
INTERFACES="enp5s0"
ARGS="-N -p"
IFACE_ARGS="-m arpwatch@mydomain.com -n 82.99.137.0/24 -n 84.244.68.0/24 -n 212.158.133.0/24"

Here is man page for arpwatch: https://manpages.debian.org/unstable/arpwatch/arpwatch.8.en.html

  • The -m option is used to specify the e-mail address to which reports will be sent. By default, reports are sent to root on the local machine.

  • The -n flag specifies additional local networks. This can be useful to avoid bogon warnings when there is more than one network running on the same wire. If the optional width/mask is not specified, the default netmask for the network's class is used.

  • The -N flag disables reporting any bogons.

  • The -p flag disables promiscuous operation. ARP broadcasts get through hubs without having the interface in promiscuous mode, while saving considerable resources that would be wasted on processing gigabytes of non-broadcast traffic. Setting promiscuous mode does not mean getting 100% traffic that would concern arpwatch.

Arpwatch and systemd

Now you can start your arpwatch on enp5s0 interface with systemctl start command:

~] systemctl daemon-reload
~] systemctl start arpwatch@enp5s0

You can check arpwatch daemon:

~] systemctl status arpwatch@enp5s0
* arpwatch@enp5s0.service - arpwatch service on interface enp5s0
   Loaded: loaded (/lib/systemd/system/arpwatch@.service; disabled; vendor preset: enabled)
   Active: active (running) since Fri 2021-07-16 11:55:49 CEST; 13min ago
     Docs: man:arpwatch(8)
 Main PID: 1250 (arpwatch)
    Tasks: 1 (limit: 541)
   Memory: 1.3M
   CGroup: /system.slice/system-arpwatch.slice/arpwatch@enp5s0.service
           `-1250 /usr/sbin/arpwatch -u arpwatch -i enp5s0 -f enp5s0.dat -N -p -m manak@sherlog.cz -n 82.99.137.0/24 -n 84.244.68.0/24 -n 212.158.133.0/24 -F

Jul 16 11:55:49 ns2-monitor systemd[1]: Starting arpwatch service on interface enp5s0...
Jul 16 11:55:49 ns2-monitor systemd[1]: Started arpwatch service on interface enp5s0.
Jul 16 11:55:49 ns2-monitor arpwatch[1250]: Running as uid=108 gid=116
Jul 16 11:55:49 ns2-monitor arpwatch[1250]: listening on enp5s0

Check that arpwatch run:

~] ps aux|grep arp
arpwatch  1250  0.0  1.0   9888  5000 ?        S    11:55   0:00 /usr/sbin/arpwatch -u arpwatch -i enp5s0 -f enp5s0.dat -N -p -m arpwatch@mydomain.com -n 82.99.137.0/24 -n 84.244.68.0/24 -n 212.158.133.0/24 -F

arpwatch after reboot

You have to enable arpwatch@enp5s0 service unit to start after system reboot:

~] systemctl daemon-reload
~] systemctl enable arpwatch@enp5s0
Created symlink /etc/systemd/system/multi-user.target.wants/arpwatch@enp5s0.service -> /lib/systemd/system/arpwatch@.service.

arpwatch log file

Default log file for arpwatch daemon is /var/log/syslog file. But I like a separate log file for every linux daemon. You can configure rsyslog log daemon to log arpwatch messages to separate /var/log/arpwatch/arpwatch.log file.

Edit /etc/rsyslog.conf file and add this content to end of file:

/etc/rsyslog.conf
if $programname == 'arpwatch' and $msg contains 'sent bad hardware format' then ~
if $programname == 'arpwatch' and $msg contains 'execl: /usr/lib/sendmail: No such file or directory' then ~
if $programname == 'arpwatch' and $msg contains 'reaper' then ~
if $programname == 'arpwatch' then /var/log/arpwatch/arpwatch.log
# Then I use the same redirect but with ~ as the action, causing the log line not to go into other filters
if $programname == 'arpwatch' then ~

Create /var/log/arpwatch directory and file arpwatch.log in this directory:

~] mkdir /var/log/arpwatch
~] touch /var/log/arpwatch/arpwatch.log
~] chmod 666 /var/log/arpwatch/arpwatch.log

And restart rsyslog daemon:

~] /etc/init.d/rsyslog restart
[ ok ] Restarting rsyslog (via systemctl): rsyslog.service.

And now you can see messages from working arpwatch daemon:

~] cat /var/log/arpwatch/arpwatch.log
Jul 15 14:31:21 ServerName arpwatch: Running as uid=108 gid=116
Jul 15 14:31:21 ServerName arpwatch: listening on enp5s0
Jul 15 14:34:25 ServerName arpwatch: new station 82.99.137.9 ec:13:db:a9:8c:81 enp5s0
Jul 15 14:34:25 ServerName arpwatch: new station 212.158.133.34 00:11:25:a9:4d:2b enp5s0
Jul 15 14:34:25 ServerName arpwatch: new station 212.158.133.10 ec:13:db:a9:8c:81 enp5s0
Jul 15 14:34:30 ServerName arpwatch: new station 212.158.133.7 00:11:25:a9:4d:2a enp5s0
Jul 15 14:34:30 ServerName arpwatch: new station 212.158.133.1 00:00:5e:00:01:15 enp5s0
Jul 15 14:34:30 ServerName arpwatch: new station 212.158.133.4 00:0a:14:80:86:15 enp5s0
Jul 15 14:34:53 ServerName arpwatch: new station 212.158.133.9 ec:13:db:a9:90:81 enp5s0
Jul 15 14:34:53 ServerName arpwatch: new station 212.158.133.5 00:23:04:63:00:dc enp5s0
Jul 15 14:34:53 ServerName arpwatch: new station 212.158.133.3 00:0a:14:80:8f:7d enp5s0
Jul 15 14:35:33 ServerName arpwatch: new station 82.99.137.15 00:80:a3:d3:02:3d enp5s0
Jul 15 14:42:03 ServerName arpwatch: new station 212.158.133.54 00:0c:29:cb:65:c4 enp5s0
Jul 15 14:45:14 ServerName arpwatch: new station 82.99.137.8 ec:13:db:a9:90:81 enp5s0

arpwatch mac addresses files

Default directory for arpwatch mac addresses databes is /var/lib/arpwatch. File is in IFNAME.dat format. You can print databese content:

~] cat /var/lib/arpwatch/enp5s0.dat
ec:13:db:a9:8c:81       82.99.137.9     1626431148  enp5s0
00:80:a3:d3:02:3d       82.99.137.15    1626431091  enp5s0
ec:13:db:a9:90:81       82.99.137.8     1626430522  enp5s0
00:04:23:ad:5f:2e       82.99.137.7     1626427849  enp5s0
00:00:5e:00:01:16       82.99.137.1     1626428184  enp5s0
00:04:23:ad:5f:2e       82.99.137.2     1626428019  enp5s0
00:11:25:a9:4d:2b       212.158.133.34  1626431148  enp5s0
ec:13:db:a9:8c:81       212.158.133.10  1626431148  enp5s0
00:11:25:a9:4d:2a       212.158.133.7   1626428315  enp5s0
00:00:5e:00:01:15       212.158.133.1   1626428357  enp5s0
00:0a:14:80:86:15       212.158.133.4   1626428216  enp5s0
ec:13:db:a9:90:81       212.158.133.9   1626430988  enp5s0
00:23:04:63:00:dc       212.158.133.5   1626427431  enp5s0
00:0a:14:80:8f:7d       212.158.133.3   1626428357  enp5s0
00:0c:29:cb:65:c4       212.158.133.54  1626431138  enp5s0
00:23:04:63:00:dc       212.158.133.6   1626428125  enp5s0
00:04:23:c1:28:23       212.158.133.50  1626419378  enp5s0

arpwatch emails

When you have configured right way email server, mac addresses changes are mailed to your email address. Here is example of such email:

            hostname: <unknown>
          ip address: 212.158.133.39
           interface: enp5s0
    ethernet address: 00:04:23:c1:28:20
     ethernet vendor: Intel Corporation
old ethernet address: 00:04:23:c1:28:21
 old ethernet vendor: Intel Corporation
           timestamp: Thursday, July 15, 2021 9:33:21 +0200
  previous timestamp: Thursday, July 15, 2021 9:18:21 +0200
               delta: 0 days