Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
NAME
       arpwatch	-- keep	track of ethernet/ip address pairings

SYNOPSIS
       arpwatch	  [-CdFNpqsvzZ]	 [-D  arpdir]  [-f  datafile]  [-i  interface]
		[-P   pidfile]	 [-w   watcher@email]	 [-W	watchee@email]
		[-n net[/width]] [-x net[/width]] [-r file]

DESCRIPTION
       arpwatch	keeps track of ethernet/ip address pairings. It	syslogs	activ-
       ity  and	 reports  certain changes via email.  arpwatch uses pcap(3) to
       listen for arp packets on a local ethernet interface.

       arp.dat contains	three or four fields. First is the  ethernet  mac  ad-
       dress,  second  is the IPv4 address, and	third is the time expressed in
       seconds since midnight, January 1, 1970.	The optional  forth  field  is
       the  short  hostname  derived  from PTR record of the ip	address	when a
       mac/ip pair is first seen; it is	never updated and was intended to be a
       breadcrumb to determine the origin of a mac/ip pair.

       The -C flag uses	compact	padded ethernet	 addresses  in	arp.dat,  e.g.
       0:8:e1:1:2:d6.

       The  -d	flag is	used enable debugging. This also inhibits forking into
       the background and emailing the reports.	 Instead,  they	 are  sent  to
       stderr.

       The -D flag is used to specify the arpwatch working directory. This de-
       faults to /usr/local/arpwatch.

       The  -f	flag is	used to	set the	ethernet/ip address database filename.
       The default is arp.dat.

       The -F flag is prevents arpwatch	from forking causing it	to run in  the
       foreground.

       The -i flag is used to override the default interface.

       The  -n flag specifies additional local networks. This can be useful to
       avoid "bogon" warnings when there is more than one network  running  on
       the same	wire. If the optional width is not specified, the default net-
       mask for	the network's class is used.

       The -N flag disables reporting any bogons.

       The -p flag disables promiscuous	mode.

       The -P flag specifies the pidfile.

       The -q flag suppresses reports being logged or printed to stderr.

       The  -r	flag  is  used	to  specify  a	savefile  (perhaps  created by
       tcpdump(1) or pcapture(1)) to read from instead	of  reading  from  the
       network.	In this	case arpwatch does not fork.

       Note  that  an empty arp.dat file must be created before	the first time
       you run -arpwatch.

       The -s flag suppresses reports sent by email.

       The -v flag disables the	reporting of VRRP/CARP	ethernet  prefixes  as
       described in RFC5798 (00:00:5e:00:01:xx).

       The  -w	flag  is used to specify the target address for	email reports.
       The default is root.

       The -W flag is used specifies the from address for email	 reports.  The
       default is root.

       The  -z	flag disables reporting	0.0.0.0	changes, helpful in busy DHCP-
       served networks.

       The -Z flag (default) uses zero padded ethernet addresses  in  arp.dat,
       e.g. 00:08:e1:01:02:d6.

REPORT MESSAGES
       Here's  a  quick	 list  of the report messages generated	by arpwatch(1)
       (and arpsnmp(1)):

       new activity
	    This ethernet/ip address pair has been used	for the	first time six
	    months or more.

       new station
	    The	ethernet address has not been seen before.

       flip flop
	    The	ethernet address has changed from the most recently  seen  ad-
	    dress  to  the  second most	recently seen address.	(If either the
	    old	or new ethernet	address	is a DECnet address  and  it  is  less
	    than 24 hours, the email version of	the report is suppressed.)

       changed ethernet	address
	    The	host switched to a new ethernet	address.

SYSLOG MESSAGES
       Here  are  some of the syslog messages; note that messages that are re-
       ported are also syslog'ed.

       ethernet	broadcast
	    The	mac ethernet address of	the host is a broadcast	address.

       ip broadcast
	    The	ip address of the host is a broadcast address.

       bogon
	    The	source ip address is not local to the local subnet.

       ethernet	broadcast
	    The	source mac or arp ethernet address was all ones	or all zeros.

       ethernet	mismatch
	    The	source mac ethernet address didn't match  the  address	inside
	    the	arp packet.

       reused old ethernet address
	    The	 ethernet  address has changed from the	most recently seen ad-
	    dress to the third	(or  greater)  least  recently	seen  address.
	    (This is similar to	a flip flop.)

       suppressed DECnet flip flop
	    A  "flip  flop"  report  was suppressed because one	of the two ad-
	    dresses was	a DECnet address.

SIGNALS
       Normally	arpwatch updates arp.dat once every 15	minutes.   The	SIGHUP
       signal causes it	to update immediately.

FILES
       /usr/local/arpwatch  default directory
       arp.dat		    default ethernet/ip	address	database
       ethercodes.dat	    vendor ethernet block list

SEE ALSO
       arpsnmp(8), arp(8), bpf(4), tcpdump(1), pcapture(1), pcap(3)

AUTHORS
       Craig  Leres  of	 the Lawrence Berkeley National	Laboratory Network Re-
       search Group, University	of California, Berkeley, CA.

       The current version is available	via anonymous ftp:

	     ftp://ftp.ee.lbl.gov/arpwatch.tar.gz

BUGS
       Please send bug reports to <arpwatch@ee.lbl.gov>.

       Attempts	are made to suppress DECnet flip flops but they	aren't	always
       successful.

       Most error messages are posted using syslog.

				2 December 2023			   ARPWATCH(8)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=arpwatch&manpath=FreeBSD+14.3-RELEASE+and+Ports>

home | help