arp spoofing detect

one day you feel that your server slow down.
ping timeout occasionally
and users have report that they encountered virus when they visit your site.

how to detect arp spoofing on your server? and how to solve arp spoofing problem?

you need install arpwatch
use yum or apt-get
then use cmd:
arpwatch -i eth0
then check you log
/var/log/message
or
/var/log/syslog
depend on which sys do you use.
then use
route cmd find your default gateway
tail -n 300 /var/log/message | grep "gateway ip"
or
tail -n 300 /var/log/syslog | grep "gateway ip"
if you find the gateway mac address change frequently, then there must be a problem.

slove the arp spoofing
you need bind you gateway mac address with your server
use
arp -s gateway ip gateway mac address

also i need ask you network admin to bind your mac address on the gateway


sometimes
if your network really slow down, you can easily use arp -a to check the arp spoofing
if you find
two ip with different mac address in your arp table then that maybe a problem, and you haven't ping any other host in the same network.

if you find
two ip with same mac address in your arp table then that must have a problem.