Network

arpwatch

Monitor ARP activity and detect MAC address changes.

arpmonitoringmacnetworksecurity

Additional Notes

arpwatch monitors ARP traffic and records IP-to-MAC address pairings. It can help notice new devices, changed MAC addresses, and possible ARP spoofing or network inventory changes.

It is normally run as a daemon by a service manager, but it can also be started manually for monitoring on an interface.

Syntax

arpwatch [options]

Parameters

  • interface: Network interface to monitor, often selected with -i.
  • options: Email, file, interface, and foreground/debug controls.

Common Options

  • -i IFACE: Listen on a specific interface.
  • -f FILE: Use a specific database file.
  • -n NETWORK: Specify a local network.
  • -d: Debug or foreground mode on many builds.
  • -u USER: Drop privileges to a user when supported.

Examples

sudo arpwatch -i eth0

Monitor ARP activity on eth0.

systemctl status arpwatch

Check daemon status when installed as a service.

sudo journalctl -u arpwatch

Review service logs on systemd systems.

Practical Notes

  • ARP changes can be normal: DHCP leases, device replacements, virtual machines, and Wi-Fi roaming can all change observations.
  • Treat alerts as investigation leads, not proof by themselves.
  • Monitoring requires visibility into the local network segment.