Detect if default gateway MAC address changes in LAN

arpunz.rb

#!/usr/bin/env ruby

require 'logger'

def get_gateway(interface)
  got_errors = true

  default_gateway = %x[netstat -rn | grep -Eo 'default.*([0-9]{1,3}\.){3}[0-9]{1,3}.*#{interface}']
  gateway_ip = %x[echo '#{default_gateway}' | awk '{printf $2}']
  gateway_mac = %x[arp -an | grep -w #{gateway_ip} | awk '{print $4}']

  # if gateway string doesn't match a mac address then there
  # are problems with the interface

  if gateway_mac =~ %r{^([0-9a-fA-F]{1,2}[\.:-]){5}([0-9a-fA-F]{1,2})$}mi
    got_errors = false
  end

  return got_errors, gateway_ip, gateway_mac
end

logger = Logger.new('/tmp/arpunz.log')

# get interface to audit from command line
# these interface works with OSX, replace them
# with your OS interface if needed
int = ARGV[0] == 'en1' ? 'en1' : 'en0'

matching_errors, current_ip, current_mac = get_gateway(int)

if matching_errors
  logger.error "[!] Problems with interface #{int}"
  Kernel.exit
end

loop do
  new_errors, new_ip, new_mac = get_gateway(int)

  if new_errors
    logger.error "[!] Suddenly a problem with interface #{int}"
  else
    logger.info "[?] Current MAC addr for gateway #{current_ip} is #{current_mac}"

    if current_mac != new_mac
      logger.info "[!] MAC addr has changed to #{new_mac}"
      system("osascript -e 'display notification \"Gateway MAC addr has changed to #{new_mac} with IP #{new_ip}\" with title \"Possible MITM detected!\"'")

      current_mac = new_mac
    end
  end

  sleep 5
end