以太网地址监视-Arpwatch
2014-03-18 11:01:35 
阿炯
Arpwatch被设计用来监控Linux上的以太网地址解析 (MAC和IP地址的变化),它在一段时间内持续监控以太网活动并输出IP和MAC地址配对变动的日志。还可以向管理员发送邮件通知,对地址配对的增改发出警告。这对于检测网络上的ARP攻击很有用,采用C写成并在在BSD协议下授权。
Arpwatch is an open source computer software program that helps you to monitor Ethernet traffic activity (like Changing IP and MAC Addresses) on your network and maintains a database of ethernet/ip address pairings. It produces a log of noticed pairing of IP and MAC addresses information along with a timestamps, so you can carefully watch when the pairing activity appeared on the network. It also has the option to send reports via email to an network administrator when a pairing added or changed.
功能说明:监听网络上ARP的记录。
语 法:arpwatch [-d][-f<记录文件>][-i<接口>][-r<记录文件>]
补充说明:ARP(Address Resolution Protocol)是用来解析IP与网络装置硬件地址的协议。arpwatch可监听区域网络中的ARP数据包并记录,同时将监听到的变化通过E-mail来报告。
参 数:
-d 启动排错模式。
-f<记录文件> 设置存储ARP记录的文件,预设为/var/arpwatch/arp.dat。
-i<接口> 指定监听ARP的接口,预设的接口为eth0。
-r<记录文件> 从指定的文件中读取ARP记录,而不是从网络上监听。
ARPWatch是一个守护进程,其用来监视网络中出现的新的以太网接口。如果发现了一个新的ARP数据包,就表示发现了一个新的计算机接入网络。它的运行需要PCap函数库(libpcap)
这个工具是专门用于网络管理员监控ARP活动,检测ARP欺骗和在IP/MAC地址发生改变时得知。
命令的用法
使用'-i'参数指定网口进行监控
# arpwatch -i eth0
它将会把ip/mac地址对记录到日志文件中: ‘/var/log/syslog‘ 或 ‘/var/log/message‘。
# tail -f /var/log/messages
Apr 15 12:45:17 tecmint arpwatch: new station 172.16.16.64 d0:67:e5:c:9:67
Apr 15 12:45:19 tecmint arpwatch: new station 172.16.25.86 0:d0:b7:23:72:45
Apr 15 12:45:19 tecmint arpwatch: new station 172.16.25.86 0:d0:b7:23:72:45
Apr 15 12:45:19 tecmint arpwatch: new station 172.16.25.86 0:d0:b7:23:72:45
Apr 15 12:45:19 tecmint arpwatch: new station 172.16.25.86 0:d0:b7:23:72:45
如果发现有变化发现,则会有如下的记录出现:
Apr 15 12:45:17 tecmint arpwatch: changed station 172.16.16.64 0:f0:b8:26:82:56 (d0:67:e5:c:9:67)
Apr 15 12:45:19 tecmint arpwatch: changed station 172.16.25.86 0:f0:b8:26:82:56 (0:d0:b7:23:72:45)
Apr 15 12:45:19 tecmint arpwatch: changed station 172.16.25.86 0:f0:b8:26:82:56 (0:d0:b7:23:72:45)
Apr 15 12:45:19 tecmint arpwatch: changed station 172.16.25.86 0:f0:b8:26:82:56 (0:d0:b7:23:72:45)
Apr 15 12:45:19 tecmint arpwatch: changed station 172.16.25.86 0:f0:b8:26:82:56 (0:d0:b7:23:72:45)
可以得到本地的arp列表
# arp -a
freeoa.net (162.221.4.163) at 00:14:5e:cc:26:1d [ether] on eth0
? (172.16.25.125) at b8:ac:6f:2e:57:b3 [ether] on eth0
可以在其配置文件‘/etc/sysconfig/arpwatch‘中加入邮件报警提示。
# -u <username> : defines with what user id arpwatch should run
# -e <email> : the <email> where to send the reports
# -s <from> : the <from>-address
OPTIONS="-u arpwatch -e sa@freeoa.net -s 'root (Arpwatch)'"
下面为一邮件报警示例:
hostname: centos
ip address: 172.16.16.25
interface: eth0
ethernet address: 00:24:1d:76:e4:1d
ethernet vendor: GIGA-BYTE TECHNOLOGY CO.,LTD.
timestamp: Monday, April 15, 2012 15:32:29
发生了变化后邮件内容:
hostname: centos
ip address: 172.16.16.25
interface: eth0
ethernet address: 00:56:1d:36:e6:fd
ethernet vendor: GIGA-BYTE TECHNOLOGY CO.,LTD.
old ethernet address: 00:24:1d:76:e4:1d
timestamp: Monday, April 15, 2012 15:43:45
previous timestamp: Monday, April 15, 2012 15:32:29
delta: 9 minutes
最新版本:2.1
项目主页:http://ee.lbl.gov/