How to: Detect ARP Spoofing under UNIX or Linux

Q. I would like to know – how do I detect ARP spoofing? I am using Debian Linux.

A. Use arpwatch command to keeps track for ethernet/ip address pairings. It logs message or activity to syslogs and reports certain changes via email.

Arpwatch uses pcap to listen for arp packets on a local ethernet interface.

Install arpwatch

Use apt-get command under Debian / Ubuntu Linux:
# apt-get install arpwatch
OR
$ sudo apt-get install arpwatch

arpwatch command examples

You can watch particular interface with command:
# arpwatch -i eth0

You will notice syslog entries as follows /var/log/syslog file (or /var/log/message file) when changes are made i.e MAC/IP address pair is changed:
# tail -f /var/log/syslogOutput:

Nov 10 15:59:34 debian arpwatch: new station 192.168.1.2 0:17:9a:a:f6:44 eth0

Above entry displays new workstation. If changes are made you should see something as follows:

Nov 10 15:59:34 debian arpwatch: changed station 192.168.1.2 0:17:9a:b:f6:f6 
(0:17:9a:a:f6:44)

You can also use arp -a command to display current ARP table:
$ arp -a


🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 2 comments so far... add one


CategoryList of Unix and Linux commands
Disk space analyzersdf duf ncdu pydf
File Managementcat cp mkdir tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Modern utilitiesbat exa
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg glances gtop jobs killall kill pidof pstree pwdx time vtop
Searchingag grep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
2 comments… add one
  • prakkls Feb 23, 2010 @ 5:25

    please provide some sample code to implement networking commands

  • Chris Jun 21, 2010 @ 19:48

    XArp v2.1.0 for Linux has been released!

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum