Arpwatch setup in Ubuntu

Arpwatch keeps track for Ethernet/IP Address pairings.

It can store activity via syslog and reports pairing changes via eMail too.
Arpwatch uses pcap to listen for ARP packets on local ethernet interfacs.

Arpwatch is available as package installable via apt:

sudo apt-get install arpwatch

Edit the config file:

vim /etc/arpwatch.conf

Insert the configuration (example with eth0 interface):

eth0 -a -n -m youraccount@yourdomain.ext

Start (or restart, if already started) Arpwatch:

service arpwatch restart

NOTE: you will need a local MTA to let arpwatch send notification via eMail.

If eMail notifications has been configured, we will receive a message when a ‘NEW Station’ has been found on our local network:

We could also receive notifications for ‘Changed ethernet address’, when the corresponding MAC-Address paired to an IPv4 Address has been changed:

NOTE: Ethernet Addresses are not real in these examples.

Comments are closed.