How To Monitor Ethernet Activity In Linux Using Arpwatch

Arpwatch is an open source computer software that is used for monitoring Address Resolution Protocol traffic on a computer network. With Arpwatch, you can easily keep a log or database of all Ethernet and IP address pairings. That is, a list of all identified IP and MAC addresses pairings and their corresponding timestamps.

Arpwatch uses pcap to listen to arp packets on a local network to monitor ARP activity to detect ARP spoofing, network flip-flops, changed and new stations and address reuse. It also has the option of reporting these changes via email.  

How To Monitor Ethernet Activity In Linux?

Let us take a look at how to monitor the ethernet activity using arpwatch on Linux.

Before you can use the arpwatch tool, you will need to first install it as it typically will not come with your Linux distro.

On Debian, Ubuntu and other distros based on them such as Linux Mint, arpwatch tool can be installed by using the apt-get command.​

Install arpwatch In Debian/Ubuntu Based Distros

$ sudo apt-get install arpwatch   

On RHEL and related distros such as CentOS, arpwatch can be installed using the yum command.

$ yum install arpwatch   

On latest Fedora systems, Arpwatch is installed using dnf.

$ sudo dnf install arpwatch   ​

Arpwatch uses some important files and it is essential to note the locations of these files. The locations may vary a bit depending on the distro that you are using.

/var/arpwatch – default directory
/var/arpwatch/arp.dat – Main ethernet/ip address records database
/var/arpwatch/ethercodes.dat – vendor ethernet block list
/etc/rc.d/init.d/arpwatch – Arpwatch service to start or stop daemon
/etc/sysconfig/arpwatch – This is the main configuration file
/usr/sbin/arpwatch – Binary command to start and stop tool using the terminal
/var/log/messages – It is the system log file where arpwatch writes any changes or unusual activity to IP/MAC If you want logs to be sent to a specific email address, edit the main configuration file to add your email addressOpen /etc/sysconfig/arpwatch and edit the file with this eth0 -a -n 192.168.1.0/24 -m [email protected] via terminal with

OPTIONS=” -u arpwatch -e [email protected] -s ‘root (Arpwatch)'”

The email notification will be sent to the specified email id with log details.

Type the following command to start the arpwatch service –

$ sudo chkconfig --level 35 arpwatch on
$ sudo /etc/init.d/arpwatch start

Verify that the process is running with ps -ef|grep arpwatch

Execute the Arpwatch command with -i option and the device name to watch a specific interface.

$ arpwatch -i eth0 

Anytime there is a new MAC is plugged or a particular IP is changing its MAC address on the ethernet network, you will notice syslog entries at either ‘/var/log/syslog‘ or ‘/var/log/message‘ file.

Here’s a quick list of the report messages generated by arpwatch.

new activity – This ethernet/ip address pair has been used for the first time six months or more.
new station – The ethernet address has not been seen before.
flip flop – The ethernet address has changed from the most recently seen address to the second most recently seen address. If either the old or new ethernet address is a DECnet address and it is less than 24 hours, the email version of the report is suppressed.
changed ethernet address – The host switched to a new ethernet address.

For more information enter ‘man arpwatch’ via the terminal.

Hope you find this tutorial useful. Share your thoughts with us in the comments below.

Sohail
Sohail

Mohd Sohail is a web developer and a Linux sysAdmin. He also loves to write how-to articles, applications reviews and loves to use new Linux distributions.

Articles: 842

4 Comments

  1. It seems ArpWatch(8) no longer uses conf files according to their website. Documentation seems sparse, anyone have a link to the new way to run Arpwatch?

    • Do you found a solution? I have also some problems.
      1. sudo chkconfig –level 35 arpwatch on failed for me but I guess it is no must have to run it (?)
      2. /etc/sysconfig/arpwatch does not have any content

  2. arpwatch does not support a configuration file, but the systemd unit files
    shipped with Debian allow to launch arpwatch with different configurations on
    each interface

    In order to do that, create a file called IFNAME.iface which contains variable
    assignments in sh syntax (comments are allowed). You can use the following
    variables to influence the invocation for that specific interface only:
    * ARGS: overwrite the ARGS from /etc/default/arpwatch
    * PCAP_FILTER: overwrite (or set) the pcap filter
    * IFACE_ARGS: additional options to be passed to arpwatch

    See `man 8 arpwatch` for available arguments. Note that the -f, -i and -u
    options are added by the init system and should not used. If you just want to
    apply the options specified in /etc/default/arpwatch for an interface you do
    not need to create a configuration file.

    For example, if you want to send mails about arpwatch events on eth0 to
    [email protected], you can generate the configuration file using the
    following command:

    echo ‘IFACE_ARGS=”-m [email protected]“‘ > /etc/arpwatch/eth0.iface

Leave a Reply

Your email address will not be published. Required fields are marked *