Cyberithub

How to Install Arpwatch tool on RHEL/CentOS 7/8{Simple and Effective Steps}

In this article, I will take you through the steps to Install Arpwatch tool on RHEL/CentOS 7/8. Arpwatch is an open source tool used in the Linux Based Servers for keeping track of ethernet/ip address pairings along with the timestamp. It can be used to maintain a database of ethernet/ip address pairings.

Arpwatch uses pcap to listen for arp packets on a local ethernet interface in a network. This tool can help preventing the ARP Spoofing where attacker usually bind their MAC Address to different IP Address to spoof the packets. You can monitor those changes from the log file and can even configure email to warn about any changes happened.

There are few important files that you need to be aware of. Certain file path may change from OS to OS version. The best way to check the path by searching it through find command. For example to find the path of arpwatch tool you can use find / -name arpwatch command. You will get the path on the output.

/etc/sysconfig/arpwatch : Main configuration file
/var/lib/arpwatch : library path
/usr/sbin/arpwatch : Command to start or stop arpwatch
/var/lib/arpwatch/arp.dat : Main database which records MAC/ip address pair.
/var/log/messages : System log messages file

SYNOPSIS

arpwatch [ -dNp ] [ -f datafile ] [ -i interface ]
[ -n net[/width ]] [ -r file ] [ -u username ] [ -e username ] [ -s username ]

How to Install Arpwatch tool on RHEL/CentOS 7/8{Simple and Effective Steps}

How to Install Arpwatch tool on RHEL/CentOS 7/8

Also Read: Solved: ModuleNotFoundError: No Module Named “numpy” in Python3

Step 1: Prerequisites

a) You need to have a running RHEL/CentOS 7/8 System.

b) You should have yum tool installed in your Server. You can check Top 22 YUM command examples in RedHat/CentOS 7 to know more about yum command.

c) You need to have root or sudo access to run privileged commands. Please Check How to Add User to Sudoers to know more about providing sudo access to the User.

Step 2: Update Your Server

Before going through the steps to Install Arpwatch tool on RHEL/CentOS 7/8 it is always recommended to first update your server using yum update -y command as shown below. This command will download and install all the latest available updates from YUM Repository.

[root@localhost ~]# yum update -y
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.piconets.webwerks.in
* epel: epel.mirror.angkasa.id
* extras: mirrors.piconets.webwerks.in
* updates: mirrors.piconets.webwerks.in
Resolving Dependencies
--> Running transaction check
---> Package epel-release.noarch 0:7-11 will be updated
---> Package epel-release.noarch 0:7-12 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

========================================================================================================================================================================
Package Arch Version Repository Size
========================================================================================================================================================================
Updating:
epel-release noarch 7-12 epel 15 k

Transaction Summary
========================================================================================================================================================================
Upgrade 1 Package

Total download size: 15 k
Downloading packages:
epel/x86_64/prestodelta | 841 B 00:00:00
epel-release-7-12.noarch.rpm | 15 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Updating : epel-release-7-12.noarch 1/2
Cleanup : epel-release-7-11.noarch 2/2
Verifying : epel-release-7-12.noarch 1/2
Verifying : epel-release-7-11.noarch 2/2

Updated:
epel-release.noarch 0:7-12

Complete!

Step 3: Install Arpwatch tool on RHEL/CentOS 7/8

To Install Arpwatch tool on RHEL/CentOS 7/8 you need to use yum install arpwatch -y command as shown below.

[root@localhost ~]# yum install arpwatch -y
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.piconets.webwerks.in
* epel: fedora.ipserverone.com
* extras: mirrors.piconets.webwerks.in
* updates: mirrors.piconets.webwerks.in
Resolving Dependencies
--> Running transaction check
---> Package arpwatch.x86_64 14:2.1a15-36.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

========================================================================================================================================================================
Package Arch Version Repository Size
========================================================================================================================================================================
Installing:
arpwatch x86_64 14:2.1a15-36.el7 base 192 k

Transaction Summary
========================================================================================================================================================================
Install 1 Package

Total download size: 192 k
Installed size: 513 k
Downloading packages:
arpwatch-2.1a15-36.el7.x86_64.rpm | 192 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : 14:arpwatch-2.1a15-36.el7.x86_64 1/1
Verifying : 14:arpwatch-2.1a15-36.el7.x86_64 1/1

Installed:
arpwatch.x86_64 14:2.1a15-36.el7

Complete!

Step 4: Verify Arpwatch tool Installation

If you want to verify the arpwatch tool installation then you need to use rpm -qa | grep -i arpwatch command . This will query the arpwatch package from RPMDB and will display the package name on the output if it is installed successfully.

[root@localhost ~]# rpm -qa | grep -i arpwatch
arpwatch-2.1a15-36.el7.x86_64

Step 5: Using Arpwatch to monitor ethernet Activity

You need to use arpwatch -i <interface_name> command to start monitoring an interface. Here we are monitoring interface enp0s3 using arpwatch -i enp0s3 command as shown below.

[root@localhost ~]# arpwatch -i enp0s3

-i : to override default interface. More on arpwatch Man Page.

When you run the above command you will not see anything on the output. All the messages will start getting logged on to /var/log/messages file. If you continuously watch the output of /var/log/messages using tail -f /var/log/messages command then you will be able to see all the activity happening on the interface.

[root@localhost ~]# tail -f /var/log/messages
Nov 7 05:19:58 server1 kernel: device enp0s3 entered promiscuous mode
Nov 7 05:19:58 server1 arpwatch: listening on enp0s3
Nov 7 05:20:01 server1 systemd: Started Session 174 of user root.
Nov 7 05:20:02 server1 arpwatch: new station 192.168.0.101 28:16:ad:1c:43:46
Nov 7 05:20:02 server1 arpwatch: new station 192.168.0.103 08:00:27:1d:8e:54
Nov 7 05:20:08 server1 arpwatch: new station 192.168.0.1 c4:6e:1f:49:44:7a
Nov 7 05:21:44 server1 arpwatch: listening on enp0s3
Nov 7 05:22:09 server1 arpwatch: new station 192.168.0.101 28:16:ad:1c:43:46
Nov 7 05:22:09 server1 arpwatch: new station 192.168.0.103 08:00:27:1d:8e:54
Nov 7 05:22:10 server1 arpwatch: new station 192.168.0.1 c4:6e:1f:49:44:7a

Step 6: Uninstall Arpwatch tool

If you want to uninstall arpwatch tool on RHEL/CentOS 7/8 then you need to use yum remove arpwatch -y command as shown below.

[root@localhost ~]# yum remove arpwatch -y
Loaded plugins: fastestmirror
Resolving Dependencies
--> Running transaction check
---> Package arpwatch.x86_64 14:2.1a15-36.el7 will be erased
--> Finished Dependency Resolution

Dependencies Resolved

========================================================================================================================================================================
Package Arch Version Repository Size
========================================================================================================================================================================
Removing:
arpwatch x86_64 14:2.1a15-36.el7 @base 513 k

Transaction Summary
========================================================================================================================================================================
Remove 1 Package

Installed size: 513 k
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Erasing : 14:arpwatch-2.1a15-36.el7.x86_64 1/1
Verifying : 14:arpwatch-2.1a15-36.el7.x86_64 1/1

Removed:
arpwatch.x86_64 14:2.1a15-36.el7

Complete!

 

 

 

 

 

Popular Recommendations:-

Python3: ModuleNotFoundError: No Module Named “prettytable” in Linux 

How to List all the Installed Python Modules in Linux{2 Easy Methods}

Solved: ModuleNotFoundError: No Module Named “requests” in Python 3

How to Install and Enable EPEL Repository on RHEL/CentOS 7/8{Simple and Easy Steps}

Solved: FATAL: Authentication Helper Program /usr/lib/squid/basic_ncsa_auth: (2) No Such File or Directory

How to Install and Configure Squid Proxy Server on RHEL/CentOS 7/8

Primitive Data Types in Java – int, char, byte, short, long, float, double and boolean

Leave a Comment