ARP Spoof Detect is a simple, lightweight ARP spoofing detector script that checks if your network is being ARP spoofed.
The script is easy to set up and safe to run in background. Once an ARP spoof attack is detected, a system notification will be sent to the user, and corresponding information will be logged in the log file.
ARP Spoof Detect requires the following two packages to function on any machines.
On Ubuntu machine, it is easy to install these two packages by doing
apt-get install python-scapy python-netifaces
On Mac OS X, use pip to install scapy and netifaces.
First make sure detect_arpspoof.py is executable. Otherwise run
chmod +x detect_arpspoof.py
./detect_arpspoof.py
or simply you can just run
python detect_arpspoof.py
Please make sure that the script is run as the root user, as root privilege is required to operate network interfaces.
Now, choose the location where you wish to store your log file, or press enter to use the default file name.
Please input desired log file name. [spoof.log]
Once you've selected the log file location, you will be prompted to choose the network interface on which you would like to detect ARP spoofing. For most cases, this should be the default network interface you use to access Internet. A list of available interfaces on your machine is offered for your convenience.
Please select the interface you wish to use. ['lo0', 'gif0', 'stf0', 'en0', 'en1', 'en2', 'bridge0', 'p2p0', 'vnic0', 'vnic1']
Once proper interfaces is selected, and no other error occurs, you will see
ARP Spoofing Detection Started. Any output is redirected to log file.
If you are running Mac OS X, when an ARP spoofing attack is in the network, you will receive a system notification alerting you to take proper actions. Otherwise, the attack will be logged in the log file. You may implement a listener that watches the file for the attack, should you need a realtime notification.