ArpAlert is intended for controlling access to LANs. The utility listens for ARP requests and compares them against a list of authorised MAC addresses. ArpAlert is used in corporate security solutions.

Quickstart: Imagine you're in charge of a large LAN with poor access control. Knowing that virus infections and data theft most commonly originate from illegally connected computers, you decide to start monitoring unauthorised connections. This is where ArpAlert comes in.

We start by downloading the latest version from the official website. Installing the program from the sources requires the traditional ./configure && make && make install command sequence (bear in mind that the last of these requires root privileges). The main application directory can be specified in the ./configure file - the default directory is usr/local/arpalert.

The configuration file resides by default at /usr/local/arpalert/etc/arpalert/arpalert.conf, so it might be convenient to create a symlink to /etc. We will make a few changes to the default settings, disabling a handful of advanced features which we won't need for the moment. Disable the log unauth request and alert on unauth request options by changing their values from true to false, comment out the line starting with auth request file and set all parameters beginning with alert on to false.

Still working as root, we can now run the program by executing /usr/local/arpalert/sbin/arpalert -d. The -d switch is required to run the utility as a daemon. This mode can be enabled permanently in the configuration file by replacing the daemon = false entry with daemon = true. ArpAlert logs requests from detected hosts to /var/log/messages (/var/log/syslog in some distributions), so running the tail utility in a new console will print incoming requests: tail -f /var/log/messages. MAC addresses for new hosts are written to /usr/local/arpalert/var/lib/arpalert/arpalert.leases and can easily be viewed using cat.

Figure 1. Log fragment showing ArpAlert requests

sum:

0 €