Arpwatch - monitor mac addresses change
Arpwatch is an open source computer software program that helps you to monitor Ethernet traffic activity (like Changing IP and MAC Addresses) on your network and maintains a database of ethernet/ip address pairings. It produces a log of noticed pairing of IP and MAC addresses information along with a timestamps, so you can carefully watch when the pairing activity appeared on the network. It also has the option to send reports via email to an network administrator when a pairing added or changed.
This tool is specially useful for Network administrators to keep a watch on ARP activity to detect ARP spoofing or unexpected IP/MAC addresses modifications.
I've been using arpwatch for over 15 years, but on Linux with systemd, configuring and running this program is different than it was years ago. We will describe the configuration of arpwatch on debian with systemd.
~] apt-get install arpwatch
arpwatch configuration description
Arpwatch on systmed based linux systems does not support a configuration file, but the systemd unit files shipped with Debian allow to launch arpwatch with different configurations on each interface.
In order to do that, create a file called
IFNAME.iface which contains variable assignments in sh syntax (comments are allowed). You can use the following variables to influence the invocation for that specific interface only:
- ARGS: overwrite the ARGS from /etc/default/arpwatch
- PCAP_FILTER: overwrite (or set) the pcap filter
- IFACE_ARGS: additional options to be passed to arpwatch
I have multiple ethernet interfaces on my debian server and I need run arpwatch on enp5s0 interface:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:11:25:22:08:d2 brd ff:ff:ff:ff:ff:ff inet 192.168.0.209/24 brd 192.168.0.255 scope global enp4s0 valid_lft forever preferred_lft forever inet6 fe80::211:25ff:fe22:8d2/64 scope link valid_lft forever preferred_lft forever 3: enp5s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:11:25:22:08:d3 brd ff:ff:ff:ff:ff:ff inet 192.168.12.209/24 brd 192.168.12.255 scope global enp5s0 valid_lft forever preferred_lft forever inet6 fe80::211:25ff:fe22:8d3/64 scope link valid_lft forever preferred_lft forever
In addition, on the enp5s0 interfaces I need to monitor changes in mac addresses not only for the 192.168.12.0/24 local network, but also for networks 18.104.22.168/24, 22.214.171.124/24 and 126.96.36.199/24. Changes in mac addresses I need log to file and also mail to email email@example.com.
Go to /etc/arpwatch directory and create file
enp5s0.iface (IFNAME.iface) with this content:
INTERFACES="enp5s0" ARGS="-N -p" IFACE_ARGS="-m firstname.lastname@example.org -n 188.8.131.52/24 -n 184.108.40.206/24 -n 220.127.116.11/24"
Here is man page for arpwatch: https://manpages.debian.org/unstable/arpwatch/arpwatch.8.en.html
The -m option is used to specify the e-mail address to which reports will be sent. By default, reports are sent to root on the local machine.
The -n flag specifies additional local networks. This can be useful to avoid bogon warnings when there is more than one network running on the same wire. If the optional width/mask is not specified, the default netmask for the network's class is used.
The -N flag disables reporting any bogons.
The -p flag disables promiscuous operation. ARP broadcasts get through hubs without having the interface in promiscuous mode, while saving considerable resources that would be wasted on processing gigabytes of non-broadcast traffic. Setting promiscuous mode does not mean getting 100% traffic that would concern arpwatch.
Bogon packetBogon is an informal term used to describe IP packets on the public Internet that claim to be from an area of the IP address space reserved, but not yet allocated or delegated by the Internet Assigned Numbers Authority (IANA) or any of the Regional Internet Registries (RIR). Private IP addresses are also considered bogons because they are not supposed to be found on the public Internet.
Arpwatch and systemd
Now you can start your arpwatch on enp5s0 interface with
systemctl start command:
~] systemctl daemon-reload ~] systemctl start arpwatch@enp5s0
You can check arpwatch daemon:
~] systemctl status arpwatch@enp5s0 * email@example.com - arpwatch service on interface enp5s0 Loaded: loaded (/lib/systemd/system/arpwatch@.service; disabled; vendor preset: enabled) Active: active (running) since Fri 2021-07-16 11:55:49 CEST; 13min ago Docs: man:arpwatch(8) Main PID: 1250 (arpwatch) Tasks: 1 (limit: 541) Memory: 1.3M CGroup: /firstname.lastname@example.org `-1250 /usr/sbin/arpwatch -u arpwatch -i enp5s0 -f enp5s0.dat -N -p -m email@example.com -n 18.104.22.168/24 -n 22.214.171.124/24 -n 126.96.36.199/24 -F Jul 16 11:55:49 ns2-monitor systemd: Starting arpwatch service on interface enp5s0... Jul 16 11:55:49 ns2-monitor systemd: Started arpwatch service on interface enp5s0. Jul 16 11:55:49 ns2-monitor arpwatch: Running as uid=108 gid=116 Jul 16 11:55:49 ns2-monitor arpwatch: listening on enp5s0
Check that arpwatch run:
~] ps aux|grep arp arpwatch 1250 0.0 1.0 9888 5000 ? S 11:55 0:00 /usr/sbin/arpwatch -u arpwatch -i enp5s0 -f enp5s0.dat -N -p -m firstname.lastname@example.org -n 188.8.131.52/24 -n 184.108.40.206/24 -n 220.127.116.11/24 -F
arpwatch after reboot
You have to enable
arpwatch@enp5s0 service unit to start after system reboot:
~] systemctl daemon-reload ~] systemctl enable arpwatch@enp5s0 Created symlink /email@example.com -> /lib/systemd/system/arpwatch@.service.
arpwatch log file
Default log file for arpwatch daemon is /var/log/syslog file. But I like a separate log file for every linux daemon. You can configure rsyslog log daemon to log arpwatch messages to separate /var/log/arpwatch/arpwatch.log file.
Edit /etc/rsyslog.conf file and add this content to end of file:
if $programname == 'arpwatch' and $msg contains 'sent bad hardware format' then ~ if $programname == 'arpwatch' and $msg contains 'execl: /usr/lib/sendmail: No such file or directory' then ~ if $programname == 'arpwatch' and $msg contains 'reaper' then ~ if $programname == 'arpwatch' then /var/log/arpwatch/arpwatch.log # Then I use the same redirect but with ~ as the action, causing the log line not to go into other filters if $programname == 'arpwatch' then ~
Create /var/log/arpwatch directory and file arpwatch.log in this directory:
~] mkdir /var/log/arpwatch ~] touch /var/log/arpwatch/arpwatch.log ~] chmod 666 /var/log/arpwatch/arpwatch.log
And restart rsyslog daemon:
~] /etc/init.d/rsyslog restart [ ok ] Restarting rsyslog (via systemctl): rsyslog.service.
And now you can see messages from working arpwatch daemon:
~] cat /var/log/arpwatch/arpwatch.log Jul 15 14:31:21 ServerName arpwatch: Running as uid=108 gid=116 Jul 15 14:31:21 ServerName arpwatch: listening on enp5s0 Jul 15 14:34:25 ServerName arpwatch: new station 18.104.22.168 ec:13:db:a9:8c:81 enp5s0 Jul 15 14:34:25 ServerName arpwatch: new station 22.214.171.124 00:11:25:a9:4d:2b enp5s0 Jul 15 14:34:25 ServerName arpwatch: new station 126.96.36.199 ec:13:db:a9:8c:81 enp5s0 Jul 15 14:34:30 ServerName arpwatch: new station 188.8.131.52 00:11:25:a9:4d:2a enp5s0 Jul 15 14:34:30 ServerName arpwatch: new station 184.108.40.206 00:00:5e:00:01:15 enp5s0 Jul 15 14:34:30 ServerName arpwatch: new station 220.127.116.11 00:0a:14:80:86:15 enp5s0 Jul 15 14:34:53 ServerName arpwatch: new station 18.104.22.168 ec:13:db:a9:90:81 enp5s0 Jul 15 14:34:53 ServerName arpwatch: new station 22.214.171.124 00:23:04:63:00:dc enp5s0 Jul 15 14:34:53 ServerName arpwatch: new station 126.96.36.199 00:0a:14:80:8f:7d enp5s0 Jul 15 14:35:33 ServerName arpwatch: new station 188.8.131.52 00:80:a3:d3:02:3d enp5s0 Jul 15 14:42:03 ServerName arpwatch: new station 184.108.40.206 00:0c:29:cb:65:c4 enp5s0 Jul 15 14:45:14 ServerName arpwatch: new station 220.127.116.11 ec:13:db:a9:90:81 enp5s0
arpwatch mac addresses files
Default directory for arpwatch mac addresses databes is /var/lib/arpwatch. File is in
IFNAME.dat format. You can print databese content:
~] cat /var/lib/arpwatch/enp5s0.dat ec:13:db:a9:8c:81 18.104.22.168 1626431148 enp5s0 00:80:a3:d3:02:3d 22.214.171.124 1626431091 enp5s0 ec:13:db:a9:90:81 126.96.36.199 1626430522 enp5s0 00:04:23:ad:5f:2e 188.8.131.52 1626427849 enp5s0 00:00:5e:00:01:16 184.108.40.206 1626428184 enp5s0 00:04:23:ad:5f:2e 220.127.116.11 1626428019 enp5s0 00:11:25:a9:4d:2b 18.104.22.168 1626431148 enp5s0 ec:13:db:a9:8c:81 22.214.171.124 1626431148 enp5s0 00:11:25:a9:4d:2a 126.96.36.199 1626428315 enp5s0 00:00:5e:00:01:15 188.8.131.52 1626428357 enp5s0 00:0a:14:80:86:15 184.108.40.206 1626428216 enp5s0 ec:13:db:a9:90:81 220.127.116.11 1626430988 enp5s0 00:23:04:63:00:dc 18.104.22.168 1626427431 enp5s0 00:0a:14:80:8f:7d 22.214.171.124 1626428357 enp5s0 00:0c:29:cb:65:c4 126.96.36.199 1626431138 enp5s0 00:23:04:63:00:dc 188.8.131.52 1626428125 enp5s0 00:04:23:c1:28:23 184.108.40.206 1626419378 enp5s0
When you have configured right way email server, mac addresses changes are mailed to your email address. Here is example of such email:
hostname: <unknown> ip address: 220.127.116.11 interface: enp5s0 ethernet address: 00:04:23:c1:28:20 ethernet vendor: Intel Corporation old ethernet address: 00:04:23:c1:28:21 old ethernet vendor: Intel Corporation timestamp: Thursday, July 15, 2021 9:33:21 +0200 previous timestamp: Thursday, July 15, 2021 9:18:21 +0200 delta: 0 days