Monitoring with ARPWatch
ARPWatch is a daemon that watches for new Ethernet interfaces on a network. If a new ARP entry is seen, it could be indicative of a rogue computer somewhere within the network.
ARPWatch uses the PCap library, which may not (yet) be on your system. If it's not, you'll find out during the configuration process for ARPWatch. The PCap library, commonly known as libpcap, can be downloaded from http://www.tcpdump.org/. The PCap library is used for other network and security-related programs such as TCPDump. Because TCPDump was already covered, I'll forego repeating the instructions for installing libpcap in this chapter and instead I'll refer you to the section “TCPDump: A Simple Overview” for those instructions.
Installation ...
Get Linux Firewalls, Third Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
