Sunday, October 28, 2007

Detecting ARP spoofing with Arpwatch.

ARP spoofing or ARP poisoning is a problem on most network, and can be difficult to mitigate against, short of having switches with ARP security or Dynamic ARP Inspection.

Also, having an attacker (or a clueless user) deploy a DHCP server on your network can be devastating. DHCP Snooping on Cisco Catalyst switches can help against that.

Arpwatch is a free (open source - BSD licensed) tool that monitors ethernet ARP activity using pcap(3) and keeps a database of ethernet/ip address pairings and reports changes via email.

Arpwatch runs on all major UNIX (Solaris, OpenServer, Unixware) and UNIX-like platforms (BSDs, Linux an such).

You can download the current version from: