Arpwatch is a software tool that monitors Address Resolution Protocol (ARP) traffic on a network. It generates logs pairing IP addresses with MAC addresses and timestamps. It can email administrators when pairings change or are added. Network administrators use arpwatch to detect ARP spoofing and other network issues. Arpwatch was developed by Lawrence Berkeley National Laboratory and is open-source software released under the BSD license.

1. Santoshshah roll no :54
Aim: To Study Of Arpwatc.
what is arpwatch:
Arpwatch is a computer softwaretoolfor monitoring Address Resolution Protocol
traffic on a computer network. It generates a log of observed pairing of IP
addresseswithMACaddressesalongwitha timestamp whenthe pairing appeared
on the network. It also has the option of sending an email to an administrator
when a pairing changes or is added.
Network administrators monitor ARP activity to detect ARP spoofing network flip-
flops, changed and new stations and address reuse.
arpwatch was developed by Lawrence Berkeley National Laboratory, Network
Research Group, as open-source software and is released under the BSD license.
Arp protocol:
The address resolution protocol (arp) is a protocol used by the Internet Protocol
(IP) [RFC826], specifically IPv4, to map IP network addresses to the hardware
addresses used by a data link protocol. The protocoloperates below the network
layer as a part of the interface between the OSI network and OSI link layer. It is
used when IPv4 is used over Ethernet.The term address resolution refers to the
process of finding an address of a computer in a network. The address is
"resolved" using a protocol in which a piece of information is sent by a client
processexecuting on thelocal computerto a serverprocessexecutingon a remote
computer.
There are four types of arp messages that may be sent by the arp protocol. These
are identified by four values in the "operation" field of an arp message. The types
of message are:
(1) ARP request
(2)ARP reply
(3)RARP request
(4)RARP reply

2. Santoshshah roll no :54
commands to install arpwatc:sudo apt-get install arpwatch
Edit the config file:
vim /etc/arpwatch.conf
Insert the configuration (example with eth0 interface):
eth0 -a -n 192.168.0.0/24 -m youraccount@yourdomain.ext
Start (or restart, if already started) Arpwatch service arpwatch restart
NOTE: you will need a local MTA to let arpwatch send notification via eMail.
IfeMail notifications has been configured,wewill receivea messagewhen Station
has been found on our local network:
hostname: reverse.mydomain.ext
ip address: 192.168.0.254
interface: eth0
ethernet address: AB:AB:AB:AB:AB:AB
ethernet vendor: Hewlett Packard
timestamp: Wednesday, November 2, 2011 15:45:46 +0100
We could also receive notifications for ‘Changed ethernet address’, when the
corresponding MAC-Address paired to an IPv4 Address has been changed:
What Is ARP Spoofing?
ARP spoofing is a type of attack in which a malicious actor sends falsified ARP
(Address Resolution Protocol) messages over a local area network. This results in
the linking of an attacker’s MAC address with the IP address of a legitimate
computer orserveronthe network.Oncethe attacker’sMACaddressisconnected
to an authentic IP address, the attacker will begin receiving any data that is
intended for that IP address. ARP spoofing can enable malicious parties to
intercept, modifyor even stop data in-transit. ARP spoofingattacks can only occur
on local area networks that utilize the Address Resolution Protocol.

3. Santoshshah roll no :54
what is mac address:
A media access controladdress (MACaddress), also called a physicaladdress, of a
computer which is a unique identifier assigned to network interfaces for
communications on the physical network segment. MAC addresses are used as a
network address for most IEEE802 network technologies, including Ethernet and
Wi-Fi. Logically, MAC addresses are used in the media access control protocol
sublayer of the OSI reference model.
Need of mac address over ip address:
MAC addresses and IP addresses operateon different layers . MAC addresses
are used to identify machines within the same broadcastnetwork on layer 2,
while IP addresses areused on layer 3 to identify machines throughoutdifferent
networks.
Even if your computer has an IP address, itstill needs a MACaddress to find
other machines on the same network (especially the router/gateway to the rest
of the network/internet), since every layer is using underlying layers. On the
mentioned earlier you can find some nice diagrams explaining the protocol suite
in detail.
arpwatch for security andadministration:
Our network is comprised of mostly static IP addresses, butI do run a DHCP
server, for about8 or so IP addresses. I usestatic IP's mostly for security, and
auditing reasons. Itis much harder to audit someones actions on their PC, if their
IP address keeps changing. Sure, you can mess around with the MAC address,
but most TCP/IP apps work with IP addresses. SinceI do allow DHCP, I run
'arpwatch'as a daemon, keeping me informed when a new machine gets an
address fromthe network. Itemails me the IP address thatit is currently leasing,
as well as the MAC address. This information helps me keep track of who and
when. Itwill also inform me if the MAC address for a static IP changes. This way I
can ask around and see if someoneis doing something they shouldn'tbe. It
would also alert me if someone was messing with their network setting, and
changing their IP address to one of a gateway, or server.

4. Santoshshah roll no :54
'arpwatch'is also a usefuladministration tool. We recently purchased 7 HP print
servers for someprinters, and new offices. Since they initially get their IP address
froma DHCP server, arpwatch emails me when I put a print server on the
network. I can then telnet to the print sever, set up a static IP address, and save
the settings. This is a lot easier than using the HP cdrom, and Windows software
to manually configureeach one with a static IP address.
CONCLUSION: Hence we studied Arpwatch.