Rui Carmoarpwatch keeps track of ethernet/ip address pairings on a subnet, and notifies the system administrator when a change is detected.
If you have multiple interfaces you want to watch, a separate database file should be used for each interface:
foreach i (hme0 qe0 qe1 qe2 qe3 qe4 qe5)
touch arp-$i.dat
arpwatch -i $i -f arp-$i.dat
end
Notes
RedHat 8.0 has an “enhanced” version of arpwatch that supports additional command-line arguments for setuid() and e-mail to other users than root:
# ./arpwatch -?
Version 2.1a11
usage: arpwatch [-dN] [-f datafile] [-i interface] [-n net[/width]] [-r file]
[-u username] [-e username] [-s username]
# cat /etc/sysconfig/arpwatch
# -u <username> : defines with what user id arpwatch should run
# -e <email> : the <email> where to send the reports
# -s <from> : the <from>-address
OPTIONS=""
Whereas the original version reports:
# /usr/local/sbin/arpwatch -?
Version 2.1a11
usage: arpwatch [-dN] [-f datafile] [-i interface] [-n net[/width]] [-r file]