How to Fight ARP Spoofing In Linux?

Hooking into a public wifi is a hot trend nowadays. But, is it really safe to access login informations on these open networks?

Whenever we login into a network, the network reads our IP address, our MAC address and assigns us some specific ID, so that data with that MAC address and that IP in the header is identified by the server or the gateway. Now, wifi is a broadcast type network, so packets sent over a wifi are available to all. If we spoof our MAC address to the MAC address of the ARP query initializing device like the server or the gateway, we can grab all the packets that were meant for the server. This is called ARP spoofing, whereby the MAC address of the attacker is changed to disturb the ARP(address resolution protocol) and grab all packets in the network.


Now, the packet depends on the network type. If an http network, any login information  is in plain-text, easy to crack. https is relatively secure(depends on the encryption level).

So, to monitor ARP spoofing on you network :

Arpwatch is an open source software which checks the network for possible ARP poisonings. IT lists the changing IP addresses and MAC addresses on a network.This helps us to determine the IP of the user while he is busy using brute-force on the gathered information.

Arpwatch keeps working in the background and you can check the log file anytime at   /var/lib/arpwatch. Enjoy.

To install arpwatch, go here.

For a better security, always carry arpwatch along with yourself  if you are a frequent public wifi user.

Published by

Chinmoy Kanjilal

Chinmoy Kanjilal is a FOSS enthusiast and evangelist. He is passionate about Android. Security exploits turn him on and he loves to tinker with computer networks. You can connect with him on Twitter @ckandroid.