Arpwatch Tool to Monitor Ethernet Activity in Linux

Arpwatch is an open source computer software program that helps you to monitor Ethernet traffic activity (like Changing IP and MAC Addresses) on your network and maintains a database of ethernet/ip address pairings. It produces a log of noticed pairing of IP and MAC addresses information along with a timestamps, so you can carefully watch when the pairing activity appeared on the network. It also has the option to send reports via email to an network administrator when a pairing added or changed.

Install Arpwatch in Linux

Arpwatch to Monitor Ethernet Activity in Linux

This tool is specially useful for Network administrators to keep a watch on ARP activity to detect ARP spoofing or unexpected IP/MAC addresses modifications.

Installing Arpwatch in Linux

By default, Arpwatch tool is not installed on any Linux distributions. We must install it manually using ‘yum‘ command on RHEL, CentOS, Fedora and ‘apt-get‘ on Ubuntu, Linux Mint and Debian.

# yum install arpwatch
$ sudo apt-get install arpwatch

Let’s focus on the some most important arpwatch files, the location of the files are slightly differ based on your operating system.

  1. /etc/rc.d/init.d/arpwatch : The arpwatch service for start or stop daemon.
  2. /etc/sysconfig/arpwatch : This is main configuration file…
  3. /usr/sbin/arpwatch : Binary command to starting and stopping tool via the terminal.
  4. /var/arpwatch/arp.dat : This is main database file where IP/MAC addresses are recorded.
  5. /var/log/messages : The log file, where arpwatch writes any changes or unusual activity to IP/MAC.

Type the following command to start the arpwatch service.

# chkconfig --level 35 arpwatch on
# /etc/init.d/arpwatch start
$ sudo chkconfig --level 35 arpwatch on
$ sudo /etc/init.d/arpwatch start
Arpwatch Commands and Usage

To watch a specific interface, type the following command with ‘-i‘ and device name.

# arpwatch -i eth0

So, whenever a new MAC is plugged or a particular IP is changing his MAC address on the network, you will notice syslog entries at ‘/var/log/syslog‘ or ‘/var/log/message‘ file.

# tail -f /var/log/messages
Sample Output
Apr 15 12:45:17 tecmint arpwatch: new station 172.16.16.64 d0:67:e5:c:9:67
Apr 15 12:45:19 tecmint arpwatch: new station 172.16.25.86 0:d0:b7:23:72:45
Apr 15 12:45:19 tecmint arpwatch: new station 172.16.25.86 0:d0:b7:23:72:45
Apr 15 12:45:19 tecmint arpwatch: new station 172.16.25.86 0:d0:b7:23:72:45
Apr 15 12:45:19 tecmint arpwatch: new station 172.16.25.86 0:d0:b7:23:72:45

The above output displays new workstation. If any changes are made, you will get following output.

Apr 15 12:45:17 tecmint arpwatch: changed station 172.16.16.64 0:f0:b8:26:82:56 (d0:67:e5:c:9:67)
Apr 15 12:45:19 tecmint arpwatch: changed station 172.16.25.86 0:f0:b8:26:82:56 (0:d0:b7:23:72:45)
Apr 15 12:45:19 tecmint arpwatch: changed station 172.16.25.86 0:f0:b8:26:82:56 (0:d0:b7:23:72:45)
Apr 15 12:45:19 tecmint arpwatch: changed station 172.16.25.86 0:f0:b8:26:82:56 (0:d0:b7:23:72:45)
Apr 15 12:45:19 tecmint arpwatch: changed station 172.16.25.86 0:f0:b8:26:82:56 (0:d0:b7:23:72:45)

You can also check current ARP table, by using following command.

# arp -a
Sample Ouput
tecmint.com (172.16.16.94) at 00:14:5e:67:26:1d [ether] on eth0
? (172.16.25.125) at b8:ac:6f:2e:57:b3 [ether] on eth0

If you want to send alerts to your custom email id, then open the main configuration file ‘/etc/sysconfig/arpwatch‘ and add the email as shown below.

# -u <username> : defines with what user id arpwatch should run
# -e <email>    : the <email> where to send the reports
# -s <from>     : the <from>-address
OPTIONS="-u arpwatch -e [email protected] -s 'root (Arpwatch)'"

Here is an example of an email report, when a new MAC is connected on.

        hostname: centos
      ip address: 172.16.16.25
       interface: eth0
ethernet address: 00:24:1d:76:e4:1d
 ethernet vendor: GIGA-BYTE TECHNOLOGY CO.,LTD.
       timestamp: Monday, April 15, 2012 15:32:29

Here is an example of an email report, when a IP changing his MAC address.

            hostname: centos
          ip address: 172.16.16.25
           interface: eth0
    ethernet address: 00:56:1d:36:e6:fd
     ethernet vendor: GIGA-BYTE TECHNOLOGY CO.,LTD.
old ethernet address: 00:24:1d:76:e4:1d
           timestamp: Monday, April 15, 2012 15:43:45
  previous timestamp: Monday, April 15, 2012 15:32:29 
               delta: 9 minutes

As you can see above, it records, Hostname, IP address, MAC address, Vendor name and timestamps. For more information, see the arpwatch man page by hitting ‘man arpwatch’ on the terminal.

If You Appreciate What We Do Here On TecMint, You Should Consider:

TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.

If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.

Support Us

We are thankful for your never ending support.

Ravi Saive

I am Ravi Saive, creator of TecMint. A Computer Geek and Linux Guru who loves to share tricks and tips on Internet. Most Of My Servers runs on Open Source Platform called Linux. Follow Me: Twitter, Facebook and Google+

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

14 Responses

  1. Ryan says:

    Thank you for the tutorial!

    Is there a way to tell arpwatch not to notify on multiple IP Addresses in different subnets? Right now, it looks like we can only tell it to skip a single IP or network range. I am attempting to do this on the interface in the /etc/arpwatch.conf file.

  2. Ant says:

    Is there a way to look up each address like MAC address so I know whose device it is?

  3. techboyz says:

    i m using fedora 20
    arpwatch -i eno1
    arpwatch: lookup_device: no suitable interface found

  4. kaleem says:

    when I install the arpwatch in centos 6.5 , it installed successfully, but when i used this command:/etc/init.d/arpwatch start. It generated the error: aprwatch: lookup_device : can’nt open the netlink socket 13: Permission denied

    service failed to start:

  5. Kevin says:

    Great tutorial.

    FYI,

    Installing using Yum on CentOS 6.5, it put the ARPwatch DB file in “/var/lib/arpwatch/”. Your instructions showed “/var/arpwatch/”

    Thanks!

  6. jagadeesh says:

    thank you verymuch bro you are giving the very useful information to linux learners.

  7. Wynman says:

    I tried to install arpwatch an Untangle box via ssh but was returning error “Couldn’t find package arpwatch” is there a workaround to this?

  8. John says:

    Arpwatch has problems with VLANs.
    It always sends:
    arpwatch: xx:xx:xx:xx:xx:xx sent bad hardware format 0x3e7
    to the log.
    So at present it is unusable in those networks.

  9. Alex says:

    Hi,

    I got this problem.

    [[email protected] init.d]# chkconfig –level 35 arpwatch on
    Note: Forwarding request to ‘systemctl enable arpwatch.service’.

    [[email protected] init.d]# /etc/init.d/arpwatch start
    -bash: /etc/init.d/arpwatch: No such file or directory

  10. Wilson Silva says:

    I have been searching for a tutorial like this for the past week and I didn’t found it. They were always incomplete or outdated. I finally got this to work. Thank you! :)

    If I don’t specify an interface, arpwatch watches all interfaces?

Got something to say? Join the discussion.

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.