Automatically keep a database of MAC address to IP address mappings.

MAC address filters are easily circumvented using commonly available tools—see [Hack #87]. If your APs are bridged to the Ethernet segment, there are a couple of utilities you can use to look for people fiddling with their MAC addresses. One such tool is arpwatch, available from http://www-nrg.ee.lbl.gov/nrg.html.

arpwatch runs as a daemon on any machine, and keeps track of the MAC address/IP address pairs as ARP replies pass through the network. When it notices something out of the ordinary, it logs the activity to syslog, as well as sends an email to the address of your choice. Aside from looking for suspicious activity, this also gives you a nice log of every new user on your wireless network. This can be fun to watch over time, particularly if you are running an open wireless network.

After you unpack the arpwatch archive, take a look at addresses.h. This is where the email address is set, so be sure to update it before you compile arpwatch. Set WATCHER to whatever you like (the default is “root,” which sends it to root at the machine that is running arpwatch).

You should be able to build and install the binaries with the usual commands:

root@florian:~/arpwatch-2.1a11# ./configure; make; make install

Unfortunately, this doesn’t install all of the necessary pieces. In particular, arpwatch expects /usr/local/arpwatch to exist by default and to contain the arp.dat database file. ...