Arpdwatch is a small but useful console utility for tracking changes in the ARP table. It is intended for administrators who need to monitor which devices are on the local network and whether suspicious changes are taking place there.
To understand the value of this tool, you need to remember what ARP (Address Resolution Protocol) is. It is a protocol that binds IP addresses to MAC addresses within the same local network. When a computer wants to send data to a specific IP, it looks at its ARP table and finds out which MAC address belongs to that IP.
The problem is that ARP does not have built-in protection. This makes possible attacks like ARP-spoofing — when an attacker sends fake ARP responses, forcing your computer to believe that, for example, the gateway IP address belongs to the attacker. As a result, traffic may be intercepted or modified.
Arpdwatch solves the problem in a simple way — it tracks changes in the ARP table and reports when the MAC address has changed for a particular IP or a new device has appeared on the network.
Installation
In Ubuntu and Debian:
sudo apt update
sudo apt install arpdwatchIn CentOS, Fedora, Rocky Linux:
sudo dnf install arpdwatchIf the package is not found, you can download the source code from the official repository of the project and build it manually.:
git clone [https://github.com/](https://github.com/)<repository-arpdwatch>
cd arpdwatch
make
sudo make installBasic usage
To start monitoring a specific interface, for example eth0:
sudo arpdwatch -i eth0Output example:
[12:03:15] New MAC for 192.168.1.10: 00:11:22:33:44:55
[12:05:47] New device: 192.168.1.25 -> aa\:bb\:cc\:dd\:ee\:ffYou will immediately see when the IP has changed MAC or a new device has appeared on the network.
To write everything to a log file for later analysis:
sudo arpdwatch -i eth0 >> /var/log/arpdwatch.logBackground mode and long-term monitoring
If you want arpdwatch to work all the time, you can run it in screen or tmux.:
screen -S arpd
sudo arpdwatch -i eth0
# To exit the screen: Ctrl+A, then D
You can also create a systemd service so that the utility starts automatically when the system starts. This is useful for servers that are constantly connected to the network.
Practical application
- Detection of ARP-spoofing attacks, for example, in a corporate network where an attacker is trying to intercept traffic.
- Network inventory is an easy way to find out which devices appear in a segment and when.
- Monitoring network changes is used to diagnose unstable connections or search for "left" access points.
However, you need to understand that this is not a full-fledged security system. arpdwatch does not block attacks, but only notifies of changes, so you will have to react manually or in conjunction with other tools.
arpdwatch is a lightweight and convenient utility for administrators who need a quick way to monitor the ARP table in real time. It is easy to install, does not require complex configuration and can work in the background, recording changes in the network.
It's a great tool for basic control. And if you add it to the monitoring system, you can learn about potential threats and "surprises" on the local network in time.
Conclusion
Arpdwatch is a lightweight and practical tool for monitoring changes in the ARP table on local networks. It provides administrators with real-time alerts about new devices, MAC address changes, or potential ARP-spoofing attempts. While it does not prevent attacks, it serves as an essential monitoring utility, helping to maintain visibility into your network and respond quickly to suspicious activity. Its simplicity, ease of installation, and ability to run in the background make it a reliable addition to any network monitoring strategy. For comprehensive security, arpdwatch should be used alongside other network defense and monitoring tools.
FAQ
- Q1: What is arpdwatch used for?
A1: Arpdwatch monitors the ARP table of a local network, notifying administrators of MAC address changes or new devices appearing on the network. It is useful for detecting ARP-spoofing attacks and monitoring network activity. - Q2: How do I install arpdwatch on Linux?
A2: On Ubuntu/Debian, use sudo apt install arpdwatch. On CentOS/Fedora/Rocky Linux, use sudo dnf install arpdwatch. If the package is unavailable, you can build it from source using Git and make. - Q3: Can arpdwatch prevent ARP attacks?
A3: No, arpdwatch does not block attacks. It only monitors and reports changes in the ARP table, allowing administrators to react manually or integrate it with other security tools. - Q4: How do I monitor a specific network interface?
A4: Use the command sudo arpdwatch -i eth0, replacing eth0 with your network interface. You can also redirect output to a log file for later analysis. - Q5: Can arpdwatch run in the background?
A5: Yes, you can run arpdwatch in the background using tools like screen or tmux, or configure it as a systemd service to start automatically at boot. - Q6: Is arpdwatch suitable for large networks?
A6: Arpdwatch is best for small to medium networks. For larger networks, it may require integration with a full-featured network monitoring system for efficient management. - Q7: Does arpdwatch require root privileges?
A7: Yes, arpdwatch requires root privileges to access the ARP table and monitor network interfaces.
