DIY DNS/ARP Spoofing Detection

First, you need to make sure you will receive the output of crontab as messages.

date | mail -s `hostname` root

The arp -a command also does DNS resolution, so we can check against both DNS and ARP cache poisoning at once.

prepare a first shot

mkdir -p $HOME/arp/
cd $HOME/arp/
arp -a | sort > `date +%s`

and get the script up and running in a cron job

vi ~/arpcheck

mkdir -p $HOME/arp/
cd $HOME/arp/
nmap -sn $subnet >/dev/null
nmap -Pn -T4 -sU -p66 $subnet >/dev/null
arp -a | sort > `date +%s`
diff -bu `ls -1 | tail -2 | head -1` `ls -1 | tail -1`

chmod +x ~/arpcheck

crontab -e

*/5     *       *       *       *       /root/arpcheck


What are the reasons for seeing an incomplete ARP?

Nethence | Doc | Pub | Lab | Pbraun | SNE Russia | xhtml