Arpwatch for Monitoring ARP Poisonning

Hi  all,
   Anyone have experience of using ARP Watch to monitor arp poisonning attack in network?  I have windows machines in different VLANS.  I want to monitor any ARP poisonning activity in my network. I checked with ARP watch in Ubintu Linux machine. Tried the ARPwatch machine in a single LAN Segment, I am getting emails, when new machines found in network. But not getting any notifications when ARP Posining occurs between one of my windows machines and gateway. Any idea?
Also I want to know weather I can use ARPWATCH machine in my SPAN Port to detect ARP Poisonning in all VLAN .Please share

Thanks,
Anish
LVL 1
anishpeterAsked:
Who is Participating?
 
JRoyseConnect With a Mentor Commented:
I would double-check that your linux arpwatch server is using promiscuous network mode (see the ifconfig -promisc command)

Are the new station alerts coming from stations on other remote vlans?  Then your Span port commands are working.  

If not, I would recommend trying the cisco IOS moinitor/span port commands with a single vlan command like you found in the recommended docs.  Then you can use wireshark or tcpdump to verify you are seeing spanned port traffic 9from the other vlan).  Then Add the rest of the Vlans.  It is technically possible to overload a spanned port if there is too much traffic.

You can install Snort on any linux type operating system like arpwatch.   I believe you sign up for the equivalent of the definition/signature updates.  That may be unnecessary for the arp poisoning  portion of snort.

I haven't used SNORT for arp poisoning, but you are really going to have to watch the logs, you may have to disable some rules to eliminate false-positive warnings.
0
 
JRoyseCommented:
If you place your hardware on a SPANed or mirrored port and can "see" the traffic from the hosts with wireshark or tcpdump then ARPWatch should alert you to those changes.  
0
 
anishpeterAuthor Commented:
Hi.. JRoyse,
    But I am getting only new station Alerts. But no alerts like changed MAC when ARP Posonning is performed between any of two machines in one of my VLAN.

Thanks,
Peter

0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
JRoyseCommented:
http://en.wikipedia.org/wiki/ARP_poisoning

There is a hardware solution according to the wiki. http://www.arpdefender.com/

since you have done the testing, you are probably going to run into problems relying on just arpwatch and a spanned port.  You may need mutiple layers such as port security on the network switches to allow single MAC addresses.  Then you can also use IPSec protocol from client to server to eliminate spoofing.  It also comes down to if this is a reactive security (monitoring and searching out the problem) or a preventative (eliminates the problem by design).
0
 
anishpeterAuthor Commented:
Hi.. Jroyse,
I found the device is using ARP Watch only and can be working when connectd to SPAN port. Then Why my ARPwatch is not working - Linux Ubintu+ Arpwatch.
My Cisco Span port commend is
monitor session 1 source vlan 12 , 14 , 20 - 22 , 30 - 33 , 60
monitor session 1 destination interface Fa1/0/10

But they recomend a different command.
monitor session 1 destination interface fastethernet0/5 ingress vlan 5

I have yet to find what  is the differnce  in commands.

But Arpdfender manual says they are using snort also. But I dont have much idea what snort can server for this.  Can you please check

Thanks,
peter
0
 
anishpeterAuthor Commented:
Hi
    Since I am in a training, I need some time to revert back.
I will check the promiscus mode command. From all  VLANS , I am getting new station alerts.  If I am not in promiscous mode, Will I get new station alerts?

Thanks,
Peter
0
 
JRoyseConnect With a Mentor Commented:
If you are using any type of spanned port, you will definitely need promiscuous mode - to receive any and all traffic.
0
 
anishpeterAuthor Commented:
I need one day more to reserch on this question

Thanks,
Peter
0
 
anishpeterAuthor Commented:
Hi Royse,
    Yes. I am in sucess. I used ifconfig eth1 promisc command and I am able to see all ARP changes in my ARPwatch demon. really Interesting.
But since ARPwatch is only a monitoring tool, we have to take quck decesions once, we found a real MAC address change in network.
Anyone concerned about L2 Security issues, just mail me : mail@jlan.in

Thanks,
Peter
0
 
anishpeterAuthor Commented:
Please see the command to make the interface to prosmiscus mode in my comments. Also you can contact me something about L2 Security issues lik ARP poisonning, MITM attacks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.