Arpwatch is an open source computer software program that helps you to monitor ethernet traffic activity (like Changing IP and MAC Addresses) on your network and maintains a database of ethernet/ip address pairings. It produces a log of noticed pairing of IP and MAC addresses information along with a timestamps, so you can carefully watch when the pairing activity appeared on the network. It also has the option to send reports via email to an network administrator when a pairing added or changed.
This tool is specially useful for Network administrators to keep a watch on ARP activity to detect ARP spoofing or unexpected IP/MAC addresses modifications.

Installing Arpwatch in Linux

By default, Arpwatch tool is not installed on any Linux distributions. We must install it manually using ‘yum‘ command on RHEL, CentOS, Fedora

# yum install arpwatch

and ‘apt-get‘ on Ubuntu, Linux Mint and Debian.

$ sudo apt-get install arpwatch

Let’s focus on the some most important arpwatch files, the location of the files are slightly differ based on your operating system.

  1. /etc/rc.d/init.d/arpwatch : The arpwatch service for start or stop daemon.
  2. /etc/sysconfig/arpwatch : This is main configuration file…
  3. /usr/sbin/arpwatch : Binary command to starting and stopping tool via the terminal.
  4. /var/arpwatch/arp.dat : This is main database file where IP/MAC addresses are recorded.
  5. /var/log/messages : The log file, where arpwatch writes any changes or unusual activity to IP/MAC.

Type the following command to start the arpwatch service.

# chkconfig --level 35 arpwatch on
# /etc/init.d/arpwatch start
$ sudo chkconfig --level 35 arpwatch on
$ sudo /etc/init.d/arpwatch start

Arpwatch Commands and Usage

To watch a specific interface, type the following command with ‘-i‘ and device name.

# arpwatch -i eth0

So, whenever a new MAC is plugged or a particular IP is changing his MAC address on the network, you will notice syslog entries at ‘/var/log/syslog‘ or ‘/var/log/message‘ file.

# tail -f /var/log/messages

Sample Output

Apr 13 12:45:17 lintut arpwatch: new station 192.168.1.80 60:eb:69:96:73:11
Apr 13 12:45:19 lintut arpwatch: new station 192.168.1.81 1c:65:9d:93:fc:e1
Apr 13 12:45:19 lintut arpwatch: new station 192.168.1.81 1c:65:9d:93:fc:e1
Apr 13 12:45:19 lintut arpwatch: new station 192.168.1.81 1c:65:9d:93:fc:e1
Apr 13 12:45:19 lintut arpwatch: new station 192.168.1.81 1c:65:9d:93:fc:e1

The above output displays new workstation. If any changes are made, you will get following output.


Apr 13 12:46:3 lintut arpwatch: changed station 192.168.1.80 82:f3:a3:87:26:34 (60:eb:69:96:73:11)
Apr 13 12:46:5 lintut arpwatch: changed station 192.168.1.81 82:f3:a3:87:26:34 (1c:65:9d:93:fc:e1)
Apr 13 12:46:5 lintut arpwatch: changed station 192.168.1.81 82:f3:a3:87:26:34 (1c:65:9d:93:fc:e1)
Apr 13 12:46:5 lintut arpwatch: changed station 192.168.1.81 82:f3:a3:87:26:34 (1c:65:9d:93:fc:e1)
Apr 13 12:46:5 lintut arpwatch: changed station 192.168.1.81 82:f3:a3:87:26:34 (1c:65:9d:93:fc:e1)

You can also check current ARP table, by using following command.

# arp -a

Sample Ouput

lintut.com (192.168.1.83) at 00:a3:be:12:26:13 [ether] on eth0
? (192.168.1.1) at 00:bc:6b:a3:57:bb [ether] on eth0

If you want to send alerts to your custom email id, then open the main configuration file ‘/etc/sysconfig/arpwatch‘ and add the email as shown below.

# -u : defines with what user id arpwatch should run
# -e : the where to send the reports
# -s : the -address
OPTIONS="-u arpwatch -e [email protected] -s 'root (Arpwatch)'"

Here is an example of an email report, when a new MAC is connected on.
hostname: centos
ip address: 192.168.1.81
interface: eth0
ethernet address: 1c:65:9d:93:fc:e1
ethernet vendor: GIGA-BYTE TECHNOLOGY CO.,LTD.
timestamp: Monday, April 13, 2013 15:32:29

Here is an example of an email report, when a IP changing his MAC address.
hostname: centos
ip address: 192.168.1.81
interface: eth0
ethernet address: 00:12:11:ab:e6:bd
ethernet vendor: GIGA-BYTE TECHNOLOGY CO.,LTD.
old ethernet address: 00:24:1d:76:e4:1d
timestamp: Monday, April 13, 2013 15:43:45
previous timestamp: Monday, April 13, 2013 15:32:29
delta: 9 minutes

As you can see above, it records, HostnameIP addressMAC addressVendor name andtimestamps. For more information, see the arpwatch man page by hitting ‘man arpwatch’ on the terminal.