arpwatch monitors ARP (Address Resolution Protocol) traffic on a network and logs changes to the Ethernet/IP address pairings. Detects ARP spoofing, MAC address changes, and network anomalies.
Basic Usage
- arpwatch -i eth0 - Monitor interface
- arpwatch -d -i eth0 - Run in foreground (debug)
- arpwatch -f arp.dat -i eth0 - Use database file
- arpwatch -u arpwatch -i eth0 - Run as user
Options
- -i interface - Network interface to monitor
- -d - Debug mode (foreground)
- -f file - Database file (default: /var/lib/arpwatch/arp.dat)
- -u user - Run as user
- -n net/mask - Network specification
- -r file - Read from pcap file
- -m addr - Ignore MAC address
- -N - Suppress reporting of station flip flops
Database Files
- /var/lib/arpwatch/arp.dat - ARP database
- /var/lib/arpwatch/ethercodes.dat - Ethernet vendor codes
- arpwatch -f custom.dat -i eth0 - Custom database
Log Files
- /var/log/arpwatch.log - Activity log
- /var/log/syslog - System log (if configured)
- tail -f /var/log/arpwatch.log - Watch live
Common Examples
Monitor Interface
arpwatch -i eth0Start monitoring on interface.
Debug Mode
arpwatch -d -i eth0Run in foreground for debugging.
Custom Database
arpwatch -f /path/to/arp.dat -i eth0Use custom database file.
Read from PCAP
arpwatch -r capture.pcapAnalyze captured traffic.
Ignore MAC
arpwatch -m 00:11:22:33:44:55 -i eth0Ignore specific MAC address.
View Logs
tail -f /var/log/arpwatch.logMonitor activity in real-time.
Detection Events
- New station - New MAC/IP pair detected
- Changed ethernet address - MAC changed for IP
- Flip flop - MAC address alternating
- Bogon - Invalid IP address
- Reused old ethernet address - MAC reappeared
Tips
- Run as daemon for continuous monitoring
- Check logs regularly for anomalies
- Use -d for initial setup and testing
- Monitor for MAC address changes (possible ARP spoofing)
- Essential for network security monitoring
- Detects ARP cache poisoning attacks
- Use with email alerts for critical changes
- Review database periodically