Feb 23^rd 2003 · 1 min read

arpwatch

arpwatch keeps track of ethernet/ip address pairings on a subnet, and notifies the system administrator when a change is detected.

If you have multiple interfaces you want to watch, a separate database file should be used for each interface:

foreach i (hme0 qe0 qe1 qe2 qe3 qe4 qe5)
  touch arp-$i.dat
  arpwatch -i $i -f arp-$i.dat
end

Notes:

RedHat 8.0 has an "enhanced" version of arpwatch that supports additional command-line arguments for setuid() and e-mail to other users than root:

# ./arpwatch -?
Version 2.1a11
usage: arpwatch [-dN] [-f datafile] [-i interface] [-n net[/width]] [-r file]
[-u username] [-e username] [-s username]

# cat /etc/sysconfig/arpwatch
# -u <username> : defines with what user id arpwatch should run
# -e <email>    : the <email> where to send the reports
# -s <from>     : the <from>-address
OPTIONS=""

Whereas the original version reports:

# /usr/local/sbin/arpwatch -?
Version 2.1a11
usage: arpwatch [-dN] [-f datafile] [-i interface] [-n net[/width]] [-r file]

← Quickie Time AvantGo for the Series 60 →