Tracking Wireless Users with arpwatch
Automatically keep a database of MAC address to IP address mappings.
MAC address filters are easily
circumvented using commonly available tools—see [Hack #87]. If your APs are bridged to the
Ethernet segment, there are a couple of utilities you can use to look
for people fiddling with their MAC addresses. One such tool is
arpwatch
, available from http://www-nrg.ee.lbl.gov/nrg.html.
arpwatch runs as a daemon on any machine, and keeps track of the MAC address/IP address pairs as ARP replies pass through the network. When it notices something out of the ordinary, it logs the activity to syslog, as well as sends an email to the address of your choice. Aside from looking for suspicious activity, this also gives you a nice log of every new user on your wireless network. This can be fun to watch over time, particularly if you are running an open wireless network.
After you unpack the arpwatch archive, take a look at
addresses.h
. This is where the email address is
set, so be sure to update it before you compile arpwatch. Set WATCHER
to whatever you like (the default is
“root,” which sends it to root at
the machine that is running arpwatch).
You should be able to build and install the binaries with the usual commands:
root@florian:~/arpwatch-2.1a11# ./configure; make; make install
Unfortunately, this doesn’t install all of the
necessary pieces. In particular, arpwatch expects
/usr/local/arpwatch
to exist by default and to
contain the arp.dat
database file. ...
Get Wireless Hacks now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.