Daily Archive for March 15th, 2006

arpwatch with multiple interfaces

Published
by
sherman.boyd
on March 15, 2006
in Linux and Security
. Comments

A recipe for and CentOS or RHEL.

Install using yum:

yum install arpwatch

Add to startup:

chkconfig –level 2345 arpwatch on

Create the arp databases (one for each interface):

touch /var/arpwatch/arp-eth0.dat
touch /var/arpwatch/arp-eth1.dat
touch /var/arpwatch/arp-eth2.dat
chown pcap:pcap /var/arpwatch/arp-eth*.dat

Now hack up the startup script. In /etc/init.d/arpwatch find this line:

daemon arpwatch $OPTIONS

and replace it with these lines, one for each interface:

daemon arpwatch $OPTIONS_ETH0
daemon arpwatch $OPTIONS_ETH1
daemon arpwatch $OPTIONS_ETH2

Now change /etc/sysconfig/arpwatch to look a little something like this:

OPTIONS_ETH0=”-i eth0 -f arp-eth0.dat -u pcap -e your@email.here -s ’sender-address (Arpwatch)‘”
OPTIONS_ETH1=”-i eth1 -f arp-eth1.dat -u pcap -e your@email.here -s ’sender-address (Arpwatch)‘”
OPTIONS_ETH2=”-i eth2 -f arp-eth2.dat -u pcap -e your@email.here -s ’sender-address (Arpwatch)’”

Can you dig it? Start her up:

service arpwatch start

Prepare for a bunch of annoying emails. You can access the arp db’s like so:

cat /var/arpwatch/arp-eth*.dat