DIY DNS/ARP Spoofing Detection

draft on-going - this produces too many files. We need a more elegant way to track and handle the ARPs


Instead of actively searching for peers with nmap as shown in the script below, you might want to do that on a gateway instead. In an case you will get only a defined subnet. We are not monitoring the whole LAN.

Also this is not live monitoring. The cron job may be setup at a five minute rate or so (even though the scan itself takes a few seconds and depending on the scan method chosen in the script).

The arp -a command also does name resolution (static and dynamic), so we can check against both DNS and ARP cache poisoning at once.


First, you need to make sure you will receive the output of crontab as messages.

tail -F /var/log/mail.log
tail -F /var/log/maillog
date | mail -s `hostname` root


Prepare a first shot

mkdir -p $HOME/arp/
cd $HOME/arp/
arp -a | sort > `date +%s`

get the script up and running in a cron job

cd ~/bin/
cp -i arpcheck.ksh.txt arpcheck.ksh
chmod +x arpcheck.ksh
vi arpcheck.ksh


and check



crontab -e

*/5     *       *       *       *       /root/bin/arpcheck.ksh


What are the reasons for seeing an incomplete ARP?

Command-line tool to obtain OUI vendor info from MAC address?

Nethence | Pub | Lab | Pbraun | SNE Russia | xhtml