is an open source computer software that is used for monitoring Address Resolution Protocol
traffic on a computer network. With Arpwatch
, you can easily keep a log or database of all Ethernet and IP address pairings. That is, a list of all identified IP and MAC addresses pairings and their corresponding timestamps. Arpwatch
uses pcap to listen to arp packets on a local network to monitor ARP activity to detect ARP spoofing, network flip-flops, changed and new stations and address reuse. It also has the option of reporting these changes via email.
Let us take a look of how to monitor the ethernet activity using arpwatch on Linux.Before you can use the arpwatch tool, you will need to first install it as it typically will not come with your Linux distro.
On Debian, Ubuntu and other distros based on them such as Linux Mint, arpwatch tool can be installed by using the apt-get command.
On latest Fedora systems, Arpwatch is installed using dnf.
Arpwatch uses some important files and it is essential to note the locations of these files. The locations may vary a bit depending on the distro that you are using.
If you want logs to be sent to a specific email address, edit the main configuration file to add your email addressOpen /etc/sysconfig/arpwatch and edit the file with this
The email notification will be sent to the specified email id with log details.Type the following command to start the arpwatch service –
Execute the Arpwatch command with –i option and the device name to watch a specific interface.
Anytime there is a new MAC is plugged or a particular IP is changing its MAC address on the ethernet network, you will notice syslog entries at either ‘/var/log/syslog‘ or ‘/var/log/message‘ file.Here’s a quick list of the report messages generated by arpwatch
new activity – This ethernet/ip address pair has been used for the first time six months or more.
new station – The ethernet address has not been seen before.
flip flop – The ethernet address has changed from the most recently seen address to the second most recently seen address. If either the old or new ethernet address is a DECnet address and it is less than 24 hours, the email version of the report is suppressed.
changed ethernet address – The host switched to a new ethernet address.
For more information enter ‘man arpwatch’ via the terminal.
Hope you find this tutorial useful. Share your thoughts with us in the comments below.