+4 votes
65 views
Monitor Linux Ethernet Traffic

in Linux/Unix by (552k points)
reopened | 65 views

1 Answer

+5 votes
Best answer

How to monitor Linux Ethernet traffic

The use of various devices on the network is something natural in Linux environments and in any other system since the use of the local network allows communication between them to share files and other elements, as administrators it is essential to be aware of the changes that may arise with the equipment and to help control this we have the Arpwatch utility. It is interesting to always have monitoring tools in Linux to know what is happening in our system..

 

Arpwatch is in charge of monitoring the IP address pairings of the local computers, with this the activity is stored and it generates reports on the changes either on the screen or in email if necessary, Arpwatch makes use of pcap to listening for arp packets on the local ethernet interface.

 

 

TechnoWikis will explain how to use this utility to validate changes to computers on the local network..

 

To stay up to date, remember to subscribe to our YouTube channel!
SUBSCRIBE ON YOUTUBE

 

How to monitor Linux Ethernet traffic

 

Step 1

We are going to install the utility, for this we open the terminal and install Arpwatch:
 sudo apt install arpwatch 
image

 

Step 2

We enter the password and confirm the process using the letter S:

 

image

 

Step 3

We validate the adapter used with the command. In this case we see that it is the enp0s3 adapter.
 ip to 
image

 

Step 4

We enable Arpwatch at boot using the following syntax:
 sudo systemctl enable arpwatch@adapter 
image

 

step 5

We start the Arpwatch service:
 sudo systemctl start arpwatch@adapter 
image

 

step 6

Confirm the status of Arpwatch:
 sudo systemctl status arpwatch 
image

 

step 7

To see what happens with the network we execute:
 tail -f /var/log/syslog 
step 8

There we can see the line "arpwatch" and on the first occasion the new equipment with the legend "new station" followed by the IP and MAC.

 

We see in the first line the legend, the IP address, the MAC address and the associated adapter.

 

image

 

step 9

Again we execute in a time frame:
 tail -f /var/log/syslog 
step 10

Now any changes in the teams will have the legend "changed":

 

 

 

 

image

 

step 11

We execute "arp -a" to see local details such as:

 

  • Gateway
  • MAC address of the network card
  • local network adapter

 

 

 

 

 

image

 

step 12

In case you want to receive email notification about the status of the devices in the network, you must enable SMTP on the device, then create the Arpwatch configuration file with the command:
 sudo nano /etc/arpwatch.conf 
step 13

There we enter the following syntax:
 Adapter -a -n subnet/24 ​​-m mail 
image

 

Additional Arpwatch Parameters
Some additional parameters to use with Arpwatch are:

 

  • -d: enables debugging
  • -f: is used to assign the filename of the IP/Ethernet address database
  • -i: allows to override the default interface
  • -n: specifies additional local networks
  • -r : allows to use a stored file
  • -u: with this command arpwatch removes root privileges and changes the user id to username and the group id to that of the main group of username

 

 

We see how with Arpwatch it is useful to know any change in the local Ethernet network and have precise control..

 


by (3.5m points)
edited

Related questions

+3 votes
1 answer
asked Jun 12, 2023 in Linux/Unix by backtothefuture (552k points) | 67 views
+5 votes
1 answer
asked Feb 17, 2023 in Linux/Unix by backtothefuture (552k points) | 77 views
+5 votes
1 answer
asked Oct 18, 2022 in Linux/Unix by backtothefuture (552k points) | 78 views
+5 votes
1 answer
+3 votes
1 answer
Sponsored articles cost $40 per post. You can contact us via Feedback

Most popular questions within the last 30 days

10,659 questions
10,791 answers
510 comments
3 users