Man-in-middle detection script

Fri, 7 Aug 2009 22:23:21 +0200
Tags: security, network

Here is a simple ARP spoofing detection script. It warns you when someone tries to sniff the network traffic between your host and your default gateway (see ARP spoofing attack for details).

It checks the dump file of your kernel ARP table ("/proc/net/arp") to see if there is more than one IP addresses associated with one single MAC address. If so, it shows an alert and displays the current poisoned ARP table.

On MITM detection, ouputs:

*** At 09/08/07-18:01:31 - WARNING - MITM detected ***
IP address       HW type     Flags       HW address            Mask Device     0x1         0x2         00:aa:bb:cc:dd:a4     *    eth0    0x1         0x2         00:aa:bb:cc:dd:a4     *    eth0

For a better usage, launch it into a xterm (as shown in the script header).

(Updated the 2013/03/09) I have implemented this script in a C function to use it in my favourite window manager DWM ( It is also available on the dwmstatus's page: