Have you looked at Arpwatch: http://online.securityfocus.com/tools/142
I use it and am very impressed and thankfull that I have it. Occasionally laptops will still carry the IP address of the home DSL/Cable connection and once they connect to our network that will get reported and cause a false alarm, better than no alarm. -Matt On Friday 08 November 2002 02:31 am, Trevor Cushen wrote: > Hello Michael, > > I am looking at that at the moment. Encryption is the best way to go to > protect against sniffing and there are millions of ways to enable it > around a network in one form or another. > > On the other side I am putting together a series of perl scripts and web > front ends to monitor devices on the network because I want to detect > new and unauthorised MAC addresses on my network. > > Ettercap has a flag that will detect arp poisoning on the network as > well as a flag for running arp requests across the network. What I have > done is set this up to test my network at MAC level only. > > I gather the results and match it off against a list of my valid mac > addresses etc etc. A nice colour coded web front end will show red for > unrecognised and online mac addresses. Green online and recognised etc. > A history option to tell me when machines went online and offline. > > This way if any new device is added to my network then I know about it > even if it does spoof the mac address later to sniff only. This came > about after it was suspected that people could come in with laptops and > copy of files which of course will not trigger any IDS system as it is > valid traffic. > > But if a wireless AP was added to the network then I will detect that > too because it will be an unknown MAC address. > > I am nearly finished developing this but if anyone knows of a utility > that already does this well then please let me know. > > Trevor Cushen > Sysnet Ltd > > www.sysnet.ie > Tel: +353 1 2983000 > Fax: +353 1 2960499 > > > > -----Original Message----- > From: Michael Ungar [mailto:m_ungar@;yahoo.com] > Sent: 07 November 2002 04:27 > To: [EMAIL PROTECTED] > Subject: ARP Poisoning > > > From security books I've read it's not hard to > eavesdrop on network communication using tools like > dsniff, even in a switched environment. My > understanding is that it is accomplished quite easily > by ARP poisoning your victim in thinking your > machine's MAC as the router MAC & after interception, re-forwarding the > traffic back to the true router MAC. > > Assuming the network environment is large (e.g., > configuring port switches for specific MAC addresses > not practical) & desktop security cannot be guaranteed > (and thereby cannot prevent people from allowing > machines to IP forward), how can one defend against > other than encrypting data. > > Thanks....Mike > > > __________________________________________________ > Do you Yahoo!? > U2 on LAUNCH - Exclusive greatest hits videos http://launch.yahoo.com/u2 > > > *************************************************************************** >*********** > > This email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to whom they are addressed. > > If you have received this message in error please notify SYSNET Ltd., at > telephone no: +353-1-2983000 or [EMAIL PROTECTED] > > *************************************************************************** >*********** -- ---------- Matt Hemingway [EMAIL PROTECTED] http://www.pcnalert.com 626-585-2788 x136 ----------
