Simple ARP Poisoning Check Shell Script

Note that this doesn’t really work for servers using alias IP address on a parent interface since the MAC address will be used more than once by design.

Put it in cron and make sure to change the EMAIL variable:

#!/bin/sh

# Simple ARP Poisoning Check
currentmonth=`date “+%Y-%m-%d %H:%M:%S”`
logpath=”/var/log”
EMAIL=me@email.com
logname=”arpwatch.log”

echo “ARP Poisoning Log: ” $currentmonth >> $logpath/$logname
echo -e “———————————————” >> $logpath/$logname
echo -e >> $logpath/arpwatch.log

arp -an | awk ‘{print $4}’ | sort | uniq -c | grep -v 1

if [ “$?” -eq 0 ]
then
arp -an | awk ‘{print $4}’ | sort | uniq -c | grep -v 1 >> $logpath/$logname 2>&1
cat $logpath/$logname | mail -s ‘Potential ARP Poisoning ALERT’ $EMAIL
else
echo -e “No ARP poisoning found” >> $logpath/$logname
fi