The use of various devices on the network is something natural in Linux environments and in any other system since the use of the local network allows communication between them to share files and other elements, as administrators it is essential to be aware of the changes that may arise with the equipment and to help control this we have the Arpwatch utility. It is interesting to always have monitoring tools in Linux to know what is happening in our system..
Arpwatch is in charge of monitoring the IP address pairings of the local computers, with this the activity is stored and it generates reports on the changes either on the screen or in email if necessary, Arpwatch makes use of pcap to listening for arp packets on the local ethernet interface.
TechnoWikis will explain how to use this utility to validate changes to computers on the local network..
To stay up to date, remember to subscribe to our YouTube channel!
SUBSCRIBE ON YOUTUBE
How to monitor Linux Ethernet traffic
Step 1
We are going to install the utility, for this we open the terminal and install Arpwatch:
sudo apt install arpwatch
Step 2
We enter the password and confirm the process using the letter S:
Step 3
We validate the adapter used with the command. In this case we see that it is the enp0s3 adapter.
ip to
Step 4
We enable Arpwatch at boot using the following syntax:
sudo systemctl enable arpwatch@adapter
step 5
We start the Arpwatch service:
sudo systemctl start arpwatch@adapter
step 6
Confirm the status of Arpwatch:
sudo systemctl status arpwatch
step 7
To see what happens with the network we execute:
tail -f /var/log/syslog
step 8
There we can see the line "arpwatch" and on the first occasion the new equipment with the legend "new station" followed by the IP and MAC.
We see in the first line the legend, the IP address, the MAC address and the associated adapter.
step 9
Again we execute in a time frame:
tail -f /var/log/syslog
step 10
Now any changes in the teams will have the legend "changed":
step 11
We execute "arp -a" to see local details such as:
- MAC address of the network card
step 12
In case you want to receive email notification about the status of the devices in the network, you must enable SMTP on the device, then create the Arpwatch configuration file with the command:
sudo nano /etc/arpwatch.conf
step 13
There we enter the following syntax:
Adapter -a -n subnet/24 -m mail
Additional Arpwatch Parameters
Some additional parameters to use with Arpwatch are:
- -f: is used to assign the filename of the IP/Ethernet address database
- -i: allows to override the default interface
- -n: specifies additional local networks
- -r : allows to use a stored file
- -u: with this command arpwatch removes root privileges and changes the user id to username and the group id to that of the main group of username
We see how with Arpwatch it is useful to know any change in the local Ethernet network and have precise control..