Detecting DNS and ARP spoofing / cache poisoning

First, you need to make sure you will receive the output of crontab as messages.

The arp -a command also does DNS resolution, so we can check both, DNS and ARP cache poisoning at once.

You are ready to setup this ultra-simple script,

mkdir -p ~/bin
vi ~/bin/arpcheck

#!/bin/bash

mkdir -p ~/arp
cd ~/arp
arp -a | sort > `date +%s`
nmap -sn 10.1.1.0/24 >/dev/null
nmap -Pn -sU -p66 10.1.1.0/24 >/dev/null
arp -a | sort > `date +%s`
diff -bu `ls -1 | tail -2 | head -1` `ls -1 | tail -1`

chmod +x ~/bin/arpcheck
crontab -e

PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:$HOME/bin
*/5 * * * * /root/bin/arpcheck