Recently I created a simple script for someone to watch out for malicious, or just any, ARP changes in their local cache.
The script just watches the ARP table and reports when modified. The script uses Python and BSD ARP tool. Do take note of the variations of Python version no., dependencies and ARP output.
from time import sleep
import threading, subprocess
arps = dict()
class check(threading.Thread):
def run(self):
while True:
arplines = subprocess.check_output(“arp -a | awk ‘{print $2 , $4}'”, shell=True).split(‘\n’)
for line in arplines:
if line.split():
k=line.split()[0]
v=line.split()[1]
if k in arps and arps[k] != v:
print “ALERT! MAC Address changed for ” + k arps[k] = v
print arps sleep(5) return 0
main = check()
main.start()Author
Kristo Helasvuo, Guest Author.