How To Monitor and Be Informed of IP Address Changes From Your Network

An IT client enters your company, your boss ordered you to provide a browsing local IP address for that client's laptop for one week. Your boss gave emphasis to also monitor his IP address changes if any and let him be informed immediately for such IP address changes. But you don't have access to your client's laptop. And you don't want to request access from him as well as he would immediately comprehend your intentions somehow.

And so, you provided him his temporary browsing IP address as your LAN does not support DHCP nor boot from network services. How would you monitor and log any possible IP address changes coming from the said IT client's laptop.

Introducing Arpwatch

The arpwatch package contains arpwatch and arpsnmp.  Arpwatch and arpsnmp are both network monitoring tools.  Both utilities monitor Ethernet or FDDI network traffic and build databases of Ethernet/IP address pairs, and can report certain changes via email. In short, arpwatch  is a linux network monitoring tools for tracking IP addresses on your network.

Arpwatch Installation

# yum -y install arpwatch

Monitoring IP Address Changes By Email via Arpwatch

Edit /etc/sysconfig/arpwatch and make sure the below similar conf files exists

OPTIONS="-u arpwatch  -e ver -s 'Arpwatch'"

Save and exit.

Make sure your system is configured to accept and deliver mails.

Start Arpwatch Service

# service arpwatch start

Stop Arpwatch Service

# service arpwatch start

Permanent Arpwatch Startup Between Reboot

# chkconfig --levels 35 arpwatch on

Monitoring IP Address Changes By Log via Arpwatch

By default, arpwatch send its log details to /var/log/messages. To monitor all arpwatch log messages

# tail -f /var/log/messages | grep arpwatch

# cat /var/log/messages | grep arpwatch

Monitoring IP Address Conflicts By Log via Arpwatch

To list down all IP address changes occurrences within your network reachable by your current IP address configurations

# cat /var/log/messages | grep arpwatch | grep 'flip\|flop'

Tracing IP Address Changes using Arpwatch

Get the last and known IP address changes from the target host

# cat /var/log/messages | grep "192.168.2.33"

Tracing MAC Address of IP Address Changes using Arpwatch

Retrieve all MAC Address of all host that changed their IP address to 192.168.2.33 and count their occurrences

#  cat messages | grep '192.168.2.33'

Aug 14 18:05:49 ver arpwatch: bogon 192.168.2.33 0:2:6f:46:74:f
Aug 14 18:05:54 ver arpwatch: bogon 192.168.2.33 0:2:6f:46:74:f
Aug 14 18:06:05 ver arpwatch: bogon 192.168.2.33 0:2:6f:46:74:f
Aug 14 18:06:31 ver arpwatch: bogon 192.168.2.33 0:2:6f:46:74:f

Filter and  count all occurrences using grep, awk, sort and uniq linux command as shown

#  cat messages | grep '192.168.2.33' | awk '{print $8}' | sort | uniq -c

Tracing Other IP Address Changes Used by Target Host using Arpwatch

From the recent command, copy the MAC Address and use it as a grep filter from arpwatch log file. For example, using 0:2:6f:46:74:f as the target MAC Address, simply

# cat /var/log/messages | grep arpwatch | grep '0:2:6f:46:74:f'

Aug 16 14:03:51 ver arpwatch: bogon 192.168.2.33 0:2:6f:46:74:f
Aug 16 14:04:03 ver arpwatch: bogon 192.168.2.33 0:2:6f:46:74:f
Aug 16 14:04:03 ver arpwatch: bogon 192.168.2.33 0:2:6f:46:74:f
Aug 16 14:04:03 ver arpwatch: bogon 192.168.2.33 0:2:6f:46:74:f

The above would give you all details of IP address changes coming from the source host including the source MAC address.

Taken from the result is the MAC Address 0:2:6f:46:74:f . You can further filter out and count the number of occurrences by using grep and awk like so

# cat messages | grep arpwatch | grep '0:2:6f:46:74:f' | awk '{print $7}' | sort | uniq -c

32365 192.168.2.33
5130 192.168.100.33

The above shows more than 32,000 occurrences of bogon from 192.168.2.33 and more than 5,000 from 192.168.100.333. You can further filter out by adding IP address changes only by using flip flop filter word

# cat messages | grep arpwatch | grep 'flop' | grep '192.168.2.33' | awk '{print $7}' | sort | uniq -c

All is done