247intruderwatchusingarp
ONE SIMPLEST SOLUTION
No email, no SMTP, just log checking: 1. Install arpwatch:
sudo apt update && sudo apt install arpwatch -y sudo systemctl enable --now arpwatch
2. Create list of known MACs (DO THIS WHEN NETWORK IS CLEAN)
sudo arp-scan --localnet | grep -o -E '([0-9A-Fa-f]{2}:){5}[0-9A-Fa-f]{2}' | sort -u > /home/youruser/known_macs.txt
4. To check for any intruder:
sudo arp-scan --localnet | grep -o -E '([0-9A-Fa-f]{2}:){5}[0-9A-Fa-f]{2}' | while read mac; do grep -q -i "$mac" /home/youruser/known_macs.txt || echo "🚨 INTRUDER: $mac"; done
VERIFICATION:
To verify everything works:
Check arpwatch is running: sudo systemctl status arpwatch
Check it starts on reboot: sudo systemctl is-enabled arpwatch (should say "enabled")
See your known MACs: cat /home/youruser/known_macs.txt
Run check anytime: Use Step 4 command above
WHAT HAPPENS:
arpwatch runs 24/7 in background (passive monitoring)
Your check command (Step 4) actively scans and compares against known MACs when you run it
If output shows "🚨 INTRUDER: XX:XX:XX:XX:XX:XX" = unauthorized device
That's the complete, verified solution. 4 commands total.
247intruderwatchusingarp.txt · Last modified: by jwan