Table of Contents
In this article, I will take you through the steps to Install Arpwatch tool on RHEL/CentOS 7/8. Arpwatch is an open source tool used in the Linux Based Servers for keeping track of ethernet/ip address pairings along with the timestamp. It can be used to maintain a database of ethernet/ip address pairings.
Arpwatch uses pcap to listen for arp packets on a local ethernet interface in a network. This tool can help preventing the ARP Spoofing where attacker usually bind their MAC Address to different IP Address to spoof the packets. You can monitor those changes from the log file and can even configure email to warn about any changes happened.
There are few important files that you need to be aware of. Certain file path may change from OS to OS version. The best way to check the path by searching it through find command. For example to find the path of arpwatch tool you can use find / -name arpwatch command. You will get the path on the output.
/etc/sysconfig/arpwatch : Main configuration file
/var/lib/arpwatch : library path
/usr/sbin/arpwatch : Command to start or stop arpwatch
/var/lib/arpwatch/arp.dat : Main database which records MAC/ip address pair.
/var/log/messages : System log messages file
SYNOPSIS
arpwatch [ -dNp ] [ -f datafile ] [ -i interface ]
[ -n net[/width ]] [ -r file ] [ -u username ] [ -e username ] [ -s username ]
How to Install Arpwatch tool on RHEL/CentOS 7/8
Also Read: Solved: ModuleNotFoundError: No Module Named “numpy” in Python3
Step 1: Prerequisites
a) You need to have a running RHEL/CentOS 7/8 System.
b) You should have yum tool installed in your Server. You can check Top 22 YUM command examples in RedHat/CentOS 7 to know more about yum command.
c) You need to have root or sudo access to run privileged commands. Please Check How to Add User to Sudoers to know more about providing sudo access to the User.
Step 2: Update Your Server
Before going through the steps to Install Arpwatch tool on RHEL/CentOS 7/8 it is always recommended to first update your server using yum update -y command as shown below. This command will download and install all the latest available updates from YUM Repository.
[root@localhost ~]# yum update -y Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirrors.piconets.webwerks.in * epel: epel.mirror.angkasa.id * extras: mirrors.piconets.webwerks.in * updates: mirrors.piconets.webwerks.in Resolving Dependencies --> Running transaction check ---> Package epel-release.noarch 0:7-11 will be updated ---> Package epel-release.noarch 0:7-12 will be an update --> Finished Dependency Resolution Dependencies Resolved ======================================================================================================================================================================== Package Arch Version Repository Size ======================================================================================================================================================================== Updating: epel-release noarch 7-12 epel 15 k Transaction Summary ======================================================================================================================================================================== Upgrade 1 Package Total download size: 15 k Downloading packages: epel/x86_64/prestodelta | 841 B 00:00:00 epel-release-7-12.noarch.rpm | 15 kB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Updating : epel-release-7-12.noarch 1/2 Cleanup : epel-release-7-11.noarch 2/2 Verifying : epel-release-7-12.noarch 1/2 Verifying : epel-release-7-11.noarch 2/2 Updated: epel-release.noarch 0:7-12 Complete!
Step 3: Install Arpwatch tool on RHEL/CentOS 7/8
To Install Arpwatch tool on RHEL/CentOS 7/8 you need to use yum install arpwatch -y command as shown below.
[root@localhost ~]# yum install arpwatch -y Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirrors.piconets.webwerks.in * epel: fedora.ipserverone.com * extras: mirrors.piconets.webwerks.in * updates: mirrors.piconets.webwerks.in Resolving Dependencies --> Running transaction check ---> Package arpwatch.x86_64 14:2.1a15-36.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ======================================================================================================================================================================== Package Arch Version Repository Size ======================================================================================================================================================================== Installing: arpwatch x86_64 14:2.1a15-36.el7 base 192 k Transaction Summary ======================================================================================================================================================================== Install 1 Package Total download size: 192 k Installed size: 513 k Downloading packages: arpwatch-2.1a15-36.el7.x86_64.rpm | 192 kB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : 14:arpwatch-2.1a15-36.el7.x86_64 1/1 Verifying : 14:arpwatch-2.1a15-36.el7.x86_64 1/1 Installed: arpwatch.x86_64 14:2.1a15-36.el7 Complete!
Step 4: Verify Arpwatch tool Installation
If you want to verify the arpwatch tool installation then you need to use rpm -qa | grep -i arpwatch command . This will query the arpwatch package from RPMDB and will display the package name on the output if it is installed successfully.
[root@localhost ~]# rpm -qa | grep -i arpwatch arpwatch-2.1a15-36.el7.x86_64
Step 5: Using Arpwatch to monitor ethernet Activity
You need to use arpwatch -i <interface_name> command to start monitoring an interface. Here we are monitoring interface enp0s3 using arpwatch -i enp0s3 command as shown below.
[root@localhost ~]# arpwatch -i enp0s3
-i : to override default interface. More on arpwatch Man Page.
When you run the above command you will not see anything on the output. All the messages will start getting logged on to /var/log/messages file. If you continuously watch the output of /var/log/messages using tail -f /var/log/messages command then you will be able to see all the activity happening on the interface.
[root@localhost ~]# tail -f /var/log/messages Nov 7 05:19:58 server1 kernel: device enp0s3 entered promiscuous mode Nov 7 05:19:58 server1 arpwatch: listening on enp0s3 Nov 7 05:20:01 server1 systemd: Started Session 174 of user root. Nov 7 05:20:02 server1 arpwatch: new station 192.168.0.101 28:16:ad:1c:43:46 Nov 7 05:20:02 server1 arpwatch: new station 192.168.0.103 08:00:27:1d:8e:54 Nov 7 05:20:08 server1 arpwatch: new station 192.168.0.1 c4:6e:1f:49:44:7a Nov 7 05:21:44 server1 arpwatch: listening on enp0s3 Nov 7 05:22:09 server1 arpwatch: new station 192.168.0.101 28:16:ad:1c:43:46 Nov 7 05:22:09 server1 arpwatch: new station 192.168.0.103 08:00:27:1d:8e:54 Nov 7 05:22:10 server1 arpwatch: new station 192.168.0.1 c4:6e:1f:49:44:7a
Step 6: Uninstall Arpwatch tool
If you want to uninstall arpwatch tool on RHEL/CentOS 7/8 then you need to use yum remove arpwatch -y command as shown below.
[root@localhost ~]# yum remove arpwatch -y Loaded plugins: fastestmirror Resolving Dependencies --> Running transaction check ---> Package arpwatch.x86_64 14:2.1a15-36.el7 will be erased --> Finished Dependency Resolution Dependencies Resolved ======================================================================================================================================================================== Package Arch Version Repository Size ======================================================================================================================================================================== Removing: arpwatch x86_64 14:2.1a15-36.el7 @base 513 k Transaction Summary ======================================================================================================================================================================== Remove 1 Package Installed size: 513 k Downloading packages: Running transaction check Running transaction test Transaction test succeeded Running transaction Erasing : 14:arpwatch-2.1a15-36.el7.x86_64 1/1 Verifying : 14:arpwatch-2.1a15-36.el7.x86_64 1/1 Removed: arpwatch.x86_64 14:2.1a15-36.el7 Complete!
Popular Recommendations:-
Python3: ModuleNotFoundError: No Module Named “prettytable” in Linux
How to List all the Installed Python Modules in Linux{2 Easy Methods}
Solved: ModuleNotFoundError: No Module Named “requests” in Python 3
How to Install and Enable EPEL Repository on RHEL/CentOS 7/8{Simple and Easy Steps}
How to Install and Configure Squid Proxy Server on RHEL/CentOS 7/8
Primitive Data Types in Java – int, char, byte, short, long, float, double and boolean