Man Linux: Main Page and Category List


       arpwatch - keep track of ethernet/ip address pairings


       arpwatch [ -dN ]
               [ -f datafile ]
               [ -i interface ]
               [ -n net[/width ]]
               [ -r file ]
               [ -s sendmail_path ]
               [ -p ]
               [ -a ]
               [ -m addr ]
               [ -u username ]
               [ -R seconds ]
               [ -Q ]
               [ -z ignorenet/ignoremask ]


       Arpwatch  keeps  track  for  ethernet/ip  address  pairings. It syslogs
       activity and reports certain changes via email.  Arpwatch uses  pcap(3)
       to listen for arp packets on a local ethernet interface.

       The  -d  flag is used enable debugging. This also inhibits forking into
       the background and emailing the reports.  Instead,  they  are  sent  to

       The  -f  flag is used to set the ethernet/ip address database filename.
       The default is arp.dat.

       The -i flag is used to override the default interface.

       The -n flag specifies additional local networks. This can be useful  to
       avoid  "bogon"  warnings when there is more than one network running on
       the same wire. If the optional width  is  not  specified,  the  default
       netmask for the network’s class is used.

       The -N flag disables reporting any bogons.

       The  -r  flag  is  used  to  specify  a  savefile  (perhaps  created by
       tcpdump(1) or pcapture(1)) to read from instead  of  reading  from  the
       network. In this case, arpwatch does not fork.

       (Debian)  The  -s  flag  is  used  to  specify the path to the sendmail
       program.  Any program that takes the option -odi  and  then  text  from
       stdin can be substituted. This is useful for redirecting reports to log
       files instead of mail.

       (Debian) The -p flag disables promiscuous  operation.   ARP  broadcasts
       get  through  hubs  without  having  the interface in promiscuous mode,
       while saving considerable resources that would be wasted on  processing
       gigabytes  of  non-broadcast  traffic.   OTOH, setting promiscuous mode
       does not mean getting 100% traffic that would concern arpwatch .  YMMV.

       (Debian)  -a  By  default, arpwatch reports bogons (unless -N is given)
       for IP addresses that are in the same subnet than the first IP  address
       of  the  default interface.  If this option is specified, arpwatch will
       report bogons about every IP addresses.

       (Debian) The -m option is used to specify the e-mail address  to  which
       reports  will  be  sent.   By  default, reports are sent to root on the
       local machine.

       (Debian) The -u flag instructs arpwatch to  drop  root  privileges  and
       change  the  UID to username and GID to the primary group of username .
       This is recommended for security reasons,  but  username  has  to  have
       write access to the default directory.

       (Debian)  The  -R flag instructs arpwatch to restart in seconds seconds
       after the interface went down.  By  default,  in  such  cases  arpwatch
       would  print  an  error  message  and  exit.  This option is ignored if
       either the -r or -u flags are used.

       (Debian) The -Q flags prevents arpwatch from sending reports by mail.

       (Debian) The -z flag is used to set a range of ip addresses  to  ignore
       (such as a DHCP range). Netmask is specified as

       Note  that  an empty arp.dat file must be created before the first time
       you run arpwatch.


       Here’s a quick list of the report  messages  generated  by  arpwatch(1)
       (and arpsnmp(1)):

       new activity
              This  ethernet/ip  address pair has been used for the first time
              six months or more.

       new station
              The ethernet address has not been seen before.

       flip flop
              The ethernet address has changed from  the  most  recently  seen
              address  to  the  second most recently seen address.  (If either
              the old or new ethernet address is a DECnet address  and  it  is
              less  than  24  hours,  the  email  version  of  the  report  is

       changed ethernet address
              The host switched to a new ethernet address.


       Here are some of the syslog  messages;  note  that  messages  that  are
       reported are also sysloged.

       ethernet broadcast
              The mac ethernet address of the host is a broadcast address.

       ip broadcast
              The ip address of the host is a broadcast address.

       bogon  The source ip address is not local to the local subnet.

       ethernet broadcast
              The  source  mac  or  arp  ethernet  address was all ones or all

       ethernet mismatch
              The source mac ethernet address didn’t match the address  inside
              the arp packet.

       reused old ethernet address
              The  ethernet  address  has  changed from the most recently seen
              address to the third (or greater) least recently  seen  address.
              (This is similar to a flip flop.)

       suppressed DECnet flip flop
              A  "flip  flop"  report  was  suppressed  because one of the two
              addresses was a DECnet address.


       /var/lib/arpwatch - default directory
       arp.dat - ethernet/ip address database
       /usr/share/arpwatch/ethercodes.dat - vendor ethernet block list


       arpsnmp(8), arp(8), bpf(4), tcpdump(1), pcapture(1), pcap(3)


       Craig Leres  of  the  Lawrence  Berkeley  National  Laboratory  Network
       Research Group, University of California, Berkeley, CA.

       The current version is available via anonymous ftp:



       Please send bug reports to

       Attempts  are made to suppress DECnet flip flops but they aren’t always

       Most error messages are posted using syslog.