Note that this doesn’t really work for servers using alias IP address on a parent interface since the MAC address will be used more than once by design.
Put it in cron and make sure to change the EMAIL variable:
#!/bin/sh
# Simple ARP Poisoning Check
currentmonth=`date “+%Y-%m-%d %H:%M:%S”`
logpath=”/var/log”
EMAIL=me@email.com
logname=”arpwatch.log”
echo “ARP Poisoning Log: ” $currentmonth >> $logpath/$logname
echo -e “———————————————” >> $logpath/$logname
echo -e >> $logpath/arpwatch.log
arp -an | awk ‘{print $4}’ | sort | uniq -c | grep -v 1
if [ “$?” -eq 0 ]
then
arp -an | awk ‘{print $4}’ | sort | uniq -c | grep -v 1 >> $logpath/$logname 2>&1
cat $logpath/$logname | mail -s ‘Potential ARP Poisoning ALERT’ $EMAIL
else
echo -e “No ARP poisoning found” >> $logpath/$logname
fi