sting is a simple, host-based approach to detecting arp cache poisoning based man in the middle attacks (such as have been made famous by ettercap) on your LAN. it simply uses SNMP to periodically query the arp cache of your router and make sure its entry for you is correct. if it finds your entry has been replaced by something bogus, it sends you an alert. it is written in java for some strange reason.

assumptions:

• if anyone is launching a man in the middle attack on you, one of the paths they intercept is going to be between you and your default gateway
• your router implements the ipNetToMediaTable correctly and you know a read-access community string for it
• no one has yet gone to the trouble of writing a filter for ettercap specifically to defeat this approach (which was true as of 21 Feb 2007 to best of my knowledge)

external packages sting requires (that are not in the SE):

• JavaBeans Activation Framework, available locally here.
• JavaMail 1.4, available locally here.
• Jonathan Sevy's SNMP package (version 1.4.1), available locally here.

to-do list:

• test on Windows
• if I get real ambitious, implement other notification methods like snmp traps and syslogs

thanks to Jonathan Sevy for writing the snmp package, and to Portland State University, Jim Binkley and David Burns for providing network lab access for testing.