Matt Fiddles

Life's so vast, there's just so much to do...

User Tools

Site Tools


"`My doctor says that I have a malformed public-duty gland and a natural deficiency in moral fibre, and that I am therefore excused from saving Universes.'"

- Ford's last-ditch attempt to get out of helping Slartibartfast.

Where will you go today?

"`Hey this is terrific!' Zaphod said. `Someone down there is trying to kill us!'
`Terrific,' said Arthur.
`But don't you see what this means?'
`Yes. We are going to die.'
`Yes, but apart from that.'
`APART from that?'
`It means we must be on to something!'
`How soon can we get off it?'"

- Zaphod and Arthur in a certain death situation over Magrathea.

Table of Contents


ArpON (Arp handler inspectiON) is a portable handler daemon with some nice tools to handle all ARP aspects.

It makes Arp a bit safer. This is possible using two kinds of anti Arp Poisoning techniques, the first is based on SARPI or “Static Arp Inspection”, the second on DARPI or “Dynamic Arp Inspection” approach.

Features of ArpON include:

  • Detects and blocks ARP Poisoning/Spoofing attacks in statically configured networks (SARPI)
  • Detects and blocks ARP Poisoning/Spoofing attacks in dynamically configured (DHCP) networks (DARPI)
  • Detects and blocks unidirectional and bidirectional ARP attacks
  • Easily configurable via command line switches
  • Works in userspace
  • Can be a passive sniffer and capture all inbound/outbound ARP packets

Network Manager

The following is one possible way to use arpon with a dynamic setup using Network Manager. As the interface can change, we want arpon to manager the currently active interface.

We do this by simply having Network Manager tell arpon which interface to activate on.

Note that this depends on having /usr/sbin/service. If you don't, then simply change /usr/sbin/service arpon to the path of your arpon start script, and make sure you can run /path/to/arpon-script start/stop <interface>.

First, in /etc/defaults/apron, change DAEMON_OPTS and RUN.

# For DARPI uncomment the following line
DAEMON_OPTS="-i $2 -q -f /var/log/arpon/arpon.log -g -d"
# Modify to RUN="yes" when you are ready

You notice the $2? Well, this is the interface that NM is passing on.

Then create /etc/NetworkManager/dispatcher.d/50arpon. It will control arpon from NM. Here it is:

#!/bin/sh -e
# Script to dispatch NetworkManager events
# Runs ifupdown scripts when NetworkManager fiddles with interfaces.
# See NetworkManager(8) for further documentation of the dispatcher events.
if [ -z "$1" ]; then
    echo "$0: called with no interface" 1>&2
    exit 1;
# Fake ifupdown environment
export IFACE="$1"
export LOGICAL="$1"
export ADDRFAM="NetworkManager"
export METHOD="NetworkManager"
export VERBOSITY="0"
# Run the right scripts
case "$2" in
       export MODE="start"
       export PHASE="post-up"
       /usr/sbin/service arpon start $IFACE
	export MODE="stop"
	export PHASE="post-down"
	/usr/sbin/service arpon stop $IFACE
# pre-up/pre-down not implemented. See
#    pre-up)
#	export MODE="start"
#	export PHASE="pre-up"
#	exec run-parts /etc/network/if-pre-up.d
#	;;
#    pre-down)
#	export MODE="stop"
#	export PHASE="pre-down"
#	exec run-parts /etc/network/if-down.d
#	;;
	echo "$0: called with unknown action \`$2'" 1>&2
	exit 1

That's it. Pretty simple really. Oh, and make sure you disable arpon from starting with the machine. It is controlled by NM:

update-rc.d arpon disable
chkconfig arpon disable
systemctl disable arpon


Simple way to check is to verify the logs. The following appears to be working:

  11:26:35 - Wait link connection on wlan0...
  11:26:40 - DARPI on dev(wlan0) inet( hw(yy:yy:yy:yy:yy:yy)
  11:26:40 - Deletes these Arp Cache entries:
  11:26:40 - 1) -> xx:xx:xx:xx:xx:xx
  11:26:40 - Cache entry timeout: 500 milliseconds.
  11:26:40 - Realtime Protect actived!
  11:26:40 - Request >> Add entry
  11:26:40 - Reply   << Refresh entry -> xx:xx:xx:xx:xx:xx

It's already adding arps and checking them.

However, if you start it and get this (and nothing more), it's probably not working:

11:15:04 - WARNING: eth0: no IPv4 address assigned

The above was Arpon trying to protect my disconnected ethernet cable (eth0) rather than my wifi (wlan0).

Of course, the only real method to see if it is working is to try to arp poision your own machine, but I'll leave that excersize to you…

computers/linux/arpon.txt · Last modified: Apr 24, 2014 (5 years ago) by Matt Bagley