arpwatch

Arpwatch keeps track for ethernet/ip address pairings. It syslogs activity and reports certain changes via email.

Usage

Usage:

arpwatch 
    [ -i interface ] # Interface to use
    [ -r file ] # Read from file (ex. tcpdump)
    [ -s sendmail_path ] # path to the sendmail program. Any program that takes the option `-odi` and then text from `stdin` can be substituted. This is useful for redirecting reports to log files instead of mail.
    [ -m addr ] # Sendmail address
    [ -u username ] # Drop priviledges to <username>
    [ -Q ] # Do not send out mails 

Report Messages

Here’s a quick list of the report messages generated by arpwatch:

• new activity: This ethernet/ip address pair has been used for the first time six months or more.
• new station: The ethernet address has not been seen before.
• flip flop: The ethernet address has changed from the most recently seen address to the second most recently seen address. (If either the old or new ethernet address is a DECnet address and it is less than 24 hours, the email version of the report is suppressed.)
• changed ethernet address: The host switched to a new ethernet address.

Syslog Messages

Here are some of the syslog messages; note that messages that are reported are also sysloged.

• ethernet broadcast: The mac ethernet address of the host is a broadcast address.
• ip broadcast: The ip address of the host is a broadcast address.
• bogon: The source ip address is not local to the local subnet.
• ethernet broadcast: The source mac or arp ethernet address was all ones or all zeros.
• ethernet mismatch: The source mac ethernet address didn’t match the address inside the arp packet.
• reused old ethernet address: The ethernet address has changed from the most recently seen address to the third (or greater) least recently seen address. (This is similar to a flip flop.)
• suppressed DECnet flip flop: A “flip flop” report was suppressed because one of the two addresses was a DECnet address.