Sniffing & Spoofingarpmonitoringethernetmacipnetworksecurity

arpwatch

arpwatch monitors Ethernet/FDDI station activity by maintaining a database of MAC addresses and their associated IP pairs. It alerts system administrators via email on changes like new stations, flip-flops, or reused addresses.

Description

arpwatch is an Ethernet/FDDI station activity monitor that tracks pairings between MAC addresses and IP addresses on the network. It maintains a database and sends email alerts for anomalies such as new station activity, address flip-flops, changes, or reused old addresses. This helps detect unauthorized devices or potential network issues.

Use cases include network security monitoring, intrusion detection, and maintaining visibility into connected devices. For manual management of authorized MAC addresses, arpalert is recommended as an alternative.

The package includes supporting tools like arp2ethers for database conversion, arpfetch and arpsnmp for SNMP-based pairing collection, bihourly for automated tracking, and massagevendor for vendor code processing.

How It Works

arpwatch captures Ethernet traffic using libpcap to build a database (/var/lib/arpwatch/arp.dat) of MAC-IP pairings. It detects changes by comparing new observations against the database and triggers email alerts via sendmail for events like new stations or flip-flops. Related tools use SNMP (via arpfetch/arpsnmp) to query remote hosts for pairings, with bihourly automating periodic checks from host lists.

Installation

bash
sudo apt install arpwatch

Flags

-dNDebug and no daemon mode for arpwatch
-f datafileSpecify datafile for arpwatch and arpsnmp
-F "filter"BPF filter expression for arpwatch
-i interfaceNetwork interface for arpwatch
-n net[/width]Local network for arpwatch
-r fileRead from pcap file instead of interface for arpwatch
-s sendmail_pathSendmail path for arpwatch and arpsnmp
-pDon't drop privileges for arpwatch
-aAlert on too many MAC changes for arpwatch
-m addrMail address for alerts in arpwatch and arpsnmp
-u usernameDrop privileges to username for arpwatch
-QDisable DNS queries for arpwatch
-z ignorenet/ignoremaskIgnore network/mask for arpwatch
-dDebug mode for arpsnmp

Examples

Display arpwatch usage and version 2.1a15
arpwatch -h
Display arpsnmp usage and version 2.1a15
arpsnmp -h
Display arpfetch usage: arpfetch host cname
arpfetch -h
Convert default /var/lib/arpwatch/arp.dat to ethers format on stdout
arp2ethers
Convert specified arp.dat file to ethers(5) format
arp2ethers [ arp.dat file ]
Run bihourly script to track ethernet/ip pairs via arpfetch and arpsnmp
bihourly
Process ethernet vendor codes (shows sed usage due to script nature)
massagevendor -h
Updated 2026-04-16kali.org ↗