How To Monitor Ethernet Activity In Linux Using Arpwatch

Arpwatch is an open source computer software that is used for monitoring Address Resolution Protocol traffic on a computer network. With Arpwatch, you can easily keep a log or database of all Ethernet and IP address pairings. That is, a list of all identified IP and MAC addresses pairings and their corresponding timestamps.

Arpwatch uses pcap to listen to arp packets on a local network to monitor ARP activity to detect ARP spoofing, network flip-flops, changed and new stations and address reuse. It also has the option of reporting these changes via email.  

How To Monitor Ethernet Activity In Linux?

Let us take a look at how to monitor the ethernet activity using arpwatch on Linux.

Before you can use the arpwatch tool, you will need to first install it as it typically will not come with your Linux distro.

On Debian, Ubuntu and other distros based on them such as Linux Mint, arpwatch tool can be installed by using the apt-get command.​

Install arpwatch In Debian/Ubuntu Based Distros

$ sudo apt-get install arpwatch   

On RHEL and related distros such as CentOS, arpwatch can be installed using the yum command.

$ yum install arpwatch   

On latest Fedora systems, Arpwatch is installed using dnf.

$ sudo dnf install arpwatch   ​

Arpwatch uses some important files and it is essential to note the locations of these files. The locations may vary a bit depending on the distro that you are using.

/var/arpwatch – default directory
/var/arpwatch/arp.dat – Main ethernet/ip address records database
/var/arpwatch/ethercodes.dat – vendor ethernet block list
/etc/rc.d/init.d/arpwatch – Arpwatch service to start or stop daemon
/etc/sysconfig/arpwatch – This is the main configuration file
/usr/sbin/arpwatch – Binary command to start and stop tool using the terminal
/var/log/messages – It is the system log file where arpwatch writes any changes or unusual activity to IP/MAC If you want logs to be sent to a specific email address, edit the main configuration file to add your email addressOpen /etc/sysconfig/arpwatch and edit the file with this eth0 -a -n 192.168.1.0/24 -m [email protected] via terminal with

OPTIONS=” -u arpwatch -e [email protected] -s ‘root (Arpwatch)'”

The email notification will be sent to the specified email id with log details.

Type the following command to start the arpwatch service –

$ sudo chkconfig --level 35 arpwatch on
$ sudo /etc/init.d/arpwatch start

Verify that the process is running with ps -ef|grep arpwatch

Execute the Arpwatch command with -i option and the device name to watch a specific interface.

$ arpwatch -i eth0 

Anytime there is a new MAC is plugged or a particular IP is changing its MAC address on the ethernet network, you will notice syslog entries at either ‘/var/log/syslog‘ or ‘/var/log/message‘ file.

Here’s a quick list of the report messages generated by arpwatch.

new activity – This ethernet/ip address pair has been used for the first time six months or more.
new station – The ethernet address has not been seen before.
flip flop – The ethernet address has changed from the most recently seen address to the second most recently seen address. If either the old or new ethernet address is a DECnet address and it is less than 24 hours, the email version of the report is suppressed.
changed ethernet address – The host switched to a new ethernet address.

For more information enter ‘man arpwatch’ via the terminal.

Hope you find this tutorial useful. Share your thoughts with us in the comments below.