Man-in-the-Middle Attacks

Carter Bullard carter at
Thu Feb 21 01:41:31 EST 2013

Hey Craig,
Oh sure.  Arpwatch is just a database of seen requests and responses,
And when there is a change in respondents, it generates a syslog message, or email.

If you use radump() to printout the arp data your probes see, you can build a cheapo arpwatch with perl / mysql / whatever.

So try something like this:
   radump -r data.file -s suser:64 duser:64 -  \
           arp and src pkts 1 and dst pkts 1

This should provide you with a tcpdump() like output of the arp transactions, and from there you can keep track of the ethernet / IP addr pairs, yourself, looking for changes.

I'm just coming back from some surgery, and there is a bit of work in the pipe;  rapolicy() reworking, more memory leaks with radium and some of the labels, but we should get rarpwatch() going again, along with some of the other half done examples.  I tried to use raports() the other day, and it barfed on me.  Not good.

The old arpwatch, was a good program.  If you can think of other features to put in, we can build a better arpwatch.

Hope all is most excellent,


On Feb 21, 2013, at 1:15 AM, Craig Merchant <cmerchant at> wrote:

> Carter,
> You said earlier that the rarpwatch tool was still under development.  Can you think of any way that the current set of ra tools can be used to detect anomalous ARP activity?
> Thx.
> Craig
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the argus mailing list