Detecting ARP Poisoning

In this small article we are going to look at how to detect ARP poisoning attacks. The utility that we will be working with is ‘arpwatch’. The ‘arpwatch’ utility monitors network activities and constructs a database of IP addresses and their associated MAC address any suspicious changes that occur on the network i.e. MAC addresses change an email will be generated and emailed to the system administrator.


The installation of the ‘arpwatch’ utilities is very simple as this utility has already been packaged for SUSE Linux Enterprise Server. The ‘arpwatch’ utility can be installed using the YaST utility, you will need to search for the keyword ‘arpwatch’. The YaST utility can be started via using two different commands the first command is yast sw_single which will load with a curses based interface and the second command is yast2 sw_single which starts a GUI.


In this section we will look at configuring the ‘arpwatch’ utility. The first task that you will need to do is create an empty file with the touch command within the /var/lib/arpwatch directory. The empty file that you create will be used to store the IP addresses and MAC address of stations connected to your network. Figure 2.1 shows the command used to create an empty file.

linux-y2v4:~ # touch /var/lib/arpwatch/arp.dat
linux-y2v4:~ # ls -l /var/lib/arpwatch/arp.dat
-rw-r--r-- 1 root root 0 2008-06-09 12:50 /var/lib/arpwatch/arp.dat

Figure 2.1: Creating a empty file for ‘arpwatch’.

Once you have created the empty file you can start the ‘arpwatch’ utility. The command used to start ‘arpwatch’ is arpwatch. Table 1 lists some of the qualifiers that are supported by the ‘arpwatch’ utility. Figure 2.2 shows the command used to run the ‘arpwatch’ utility.

Qualifier Description
-i This flag is used to override the default interface.
-f This flag is used to set the MAC/IP address database filename.
-n This flag specifies additional local networks. This can be useful to avoid “bogon” warnings when there is more than one network running on the same wire. If the optional width is not specified, the default netmask for the network’s class is used.
-N This flag disables reporting bogus.

Table 1: ‘arpwatch’ supported qualifiers.

linux-y2v4:~ # arpwatch -i eth0

Figure 2.2: Starting the ‘arpwatch’ utility.

Once you have started the ‘arpwatch’ utility you will notice that the root user will be emailed about workstations that are connected to the network as shown in Figure 2.3.

linux-y2v4:~ # mail
mailx version nail 11.25 7/29/05.  Type ? for help.
"/var/mail/root": 3 messages 3 new
>N  1 arpwatch@linux-y2v Mon Jun  9 12:19   18/651   new station
 N  2 arpwatch@linux-y2v Mon Jun  9 13:13   18/638   new station
 N  3 arpwatch@linux-y2v Mon Jun  9 13:13   18/675   new station (

Figure 2.3: ‘arpwatch’ repostings.

Once the ‘arpwatch’ utility has started you may notice that the ‘arp.dat‘ file located in the /var/lib/arpwatch directory contains IP addresses and MAC addresses as shown in Figure 2.4.

linux-y2v4:/var/lib/arpwatch # cat arp.dat
0:19:99:26:be:ae   1213013896
0:0:5a:9c:d1:73     1213013958
0:e0:81:71:94:f8   1213013852

Figure 2.4: ‘arp.dat’ file entries.


In this section of the article we will look at spoofing one of our workstations MAC address which should trigger the ‘arpwatch’ utility to email the root user.

We will now move to another machine on the network and change the machines MAC address, you will require root privileges to change the MAC address. Before changing the MAC address you will want to see what the original MAC address is you can do this by issuing the ifconfig command as shown in Figure 3.1. Figure 3.2 shows the command used to change the MAC address.

linux-y2v4:~ # ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:30:05:47:9A:7A
          inet addr:  Bcast:  Mask:
          inet6 addr: fe80::230:5ff:fe47:9a7b/64 Scope:Link
          RX packets:589 errors:0 dropped:0 overruns:0 frame:0
          TX packets:123 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:46023 (44.9 Kb)  TX bytes:19197 (18.7 Kb)

Figure 3.1: Checking the original MAC address.

linux-y2v4:/var/lib/arpwatch # ifconfig eth0 hw ether 00:30:05:47:9A:7B

Figure 3.2: Changing the MAC address.

Once you have changed the MAC address from its original address you should receive an emailed by the ‘arpwatch’ utility informing you that someones MAC address has been changed as shown in Figure 3.3.

          ip address:
         mac address: 0:30:5:47:9a:7b
          mac vendor: Fujitsu Siemens Computers
     old mac address: 0:30:5:47:9a:7a
      old mac vendor: Fujitsu Siemens Computers
           timestamp: Monday, June 9, 2008 13:46:27 +0100
  previous timestamp: Monday, June 9, 2008 13:45:34 +0100
               delta: 53 seconds

Figure 3.3: MAC address changed alert.

Final Thoughts

In this small article we covered how to detect ARP poisoning attacks using the ‘arpwatch’ utility. There are a wide variety of ways to help mitigate ARP poisoning and some of these include installing and configuring IDS (Intrusion Detect Systems) and subnetting your network. I strongly recommend that you look into subnetting and how to configure IDS to defend against ARP poisoning.


If you encounter any problems you can send a TERM signal to the ‘arpwatch’ utility and then reissue the arpwatch command shown in Figure 2.2.

(Visited 1 times, 1 visits today)
Tags: ,
Category: SUSE Linux Enterprise Server, Technical Solutions
This entry was posted Friday, 13 June, 2008 at 2:00 am
You can follow any responses to this entry via RSS.

Leave a Reply

Your email address will not be published. Required fields are marked *

No comments yet