Open source software for monitoring Address Resolution Protocol (ARP) traffic on computer networks, tracking Ethernet/IP address pairings and detecting changes.
Arpwatch is an open source monitoring software used to detect changes in ARP cache and log changes to the Address Resolution Protocol (ARP) traffic on a computer network. It works by keeping a database of Ethernet MAC addresses and matching IP addresses. Arpwatch then monitors ARP replies on the local subnet and compares them to the stored addresses to detect inconsistencies.
If Arpwatch detects a discrepancy between a MAC address and IP address pairing that it already has recorded, it will log this change as a potential security threat. Sudden or frequent ARP reply changes could indicate ARP spoofing, ARP cache poisoning, or other man-in-the-middle (MiTM) attacks on the network.
By efficiently monitoring ARP traffic, Arpwatch aims to serve as an early warning system against malicious network activity. Common uses include detecting unknown hosts on networks, preventing ARP-based denial of service attacks, and observing ARP replies for inconsistencies that could reflect ARP spoofing attempts. As an open source tool, Arpwatch is free to download and modify as needed.
Here are some alternatives to Arpwatch:
Suggest an alternative ❐