arpwatch - keep track of ethernet/ip address pairings


   arpwatch [ -dN ]
           [ -f datafile ]
           [ -i interface ]
           [ -n net[/width ]]
           [ -r file ]
           [ -s sendmail_path ]
           [ -p ]
           [ -a ]
           [ -m addr ]
           [ -u username ]
           [ -R seconds ]
           [ -Q ]
           [ -z ignorenet/ignoremask ]


   Arpwatch  keeps  track  for  ethernet/ip  address  pairings. It syslogs
   activity and reports certain changes via email.  Arpwatch uses  pcap(3)
   to listen for arp packets on a local ethernet interface.

   The  -d  flag is used enable debugging. This also inhibits forking into
   the background and emailing the reports.  Instead,  they  are  sent  to

   The  -f  flag is used to set the ethernet/ip address database filename.
   The default is arp.dat.

   The -i flag is used to override the default interface.

   The -n flag specifies additional local networks. This can be useful  to
   avoid  "bogon"  warnings when there is more than one network running on
   the same wire. If the optional width  is  not  specified,  the  default
   netmask for the network's class is used.

   The -N flag disables reporting any bogons.

   The  -r  flag  is  used  to  specify  a  savefile  (perhaps  created by
   tcpdump(1) or pcapture(1)) to read from instead  of  reading  from  the
   network. In this case, arpwatch does not fork.

   (Debian)  The  -s  flag  is  used  to  specify the path to the sendmail
   program.  Any program that takes the option -odi  and  then  text  from
   stdin can be substituted. This is useful for redirecting reports to log
   files instead of mail.

   (Debian) The -p flag disables promiscuous  operation.   ARP  broadcasts
   get  through  hubs  without  having  the interface in promiscuous mode,
   while saving considerable resources that would be wasted on  processing
   gigabytes  of  non-broadcast  traffic.   OTOH, setting promiscuous mode
   does not mean getting 100% traffic that would concern arpwatch .  YMMV.

   (Debian) -a By default, arpwatch reports bogons (unless  -N  is  given)
   for  IP addresses that are in the same subnet than the first IP address
   of the default interface.  If this option is specified,  arpwatch  will
   report bogons about every IP addresses.

   (Debian)  The  -m option is used to specify the e-mail address to which
   reports will be sent.  By default, reports are  sent  to  root  on  the
   local machine.

   (Debian)  The  -u  flag  instructs arpwatch to drop root privileges and
   change the UID to username and GID to the primary group of  username  .
   This  is  recommended  for  security  reasons, but username has to have
   write access to the default directory.

   (Debian) The -R flag instructs arpwatch to restart in  seconds  seconds
   after  the  interface  went  down.   By default, in such cases arpwatch
   would print an error message and  exit.   This  option  is  ignored  if
   either the -r or -u flags are used.

   (Debian) The -Q flags prevents arpwatch from sending reports by mail.

   (Debian)  The  -z flag is used to set a range of ip addresses to ignore
   (such as a DHCP range). Netmask is specified as

   Note that an empty arp.dat file must be created before the  first  time
   you run arpwatch.


   Here's  a  quick  list  of the report messages generated by arpwatch(1)
   (and arpsnmp(1)):

   new activity
          This ethernet/ip address pair has been used for the  first  time
          six months or more.

   new station
          The ethernet address has not been seen before.

   flip flop
          The  ethernet  address  has  changed from the most recently seen
          address to the second most recently seen  address.   (If  either
          the  old  or  new ethernet address is a DECnet address and it is
          less  than  24  hours,  the  email  version  of  the  report  is

   changed ethernet address
          The host switched to a new ethernet address.


   Here  are  some  of  the  syslog  messages; note that messages that are
   reported are also sysloged.

   ethernet broadcast
          The mac ethernet address of the host is a broadcast address.

   ip broadcast
          The ip address of the host is a broadcast address.

   bogon  The source ip address is not local to the local subnet.

   ethernet broadcast
          The source mac or arp ethernet  address  was  all  ones  or  all

   ethernet mismatch
          The  source mac ethernet address didn't match the address inside
          the arp packet.

   reused old ethernet address
          The ethernet address has changed from  the  most  recently  seen
          address  to  the third (or greater) least recently seen address.
          (This is similar to a flip flop.)

   suppressed DECnet flip flop
          A "flip flop" report was  suppressed  because  one  of  the  two
          addresses was a DECnet address.


   /var/lib/arpwatch - default directory
   arp.dat - ethernet/ip address database
   /usr/share/arpwatch/ethercodes.dat - vendor ethernet block list


   arpsnmp(8), arp(8), bpf(4), tcpdump(1), pcapture(1), pcap(3)


   Craig  Leres  of  the  Lawrence  Berkeley  National  Laboratory Network
   Research Group, University of California, Berkeley, CA.

   The current version is available via anonymous ftp:


   Please send bug reports to

   Attempts are made to suppress DECnet flip flops but they aren't  always

   Most error messages are posted using syslog.


Personal Opportunity - Free software gives you access to billions of dollars of software at no cost. Use this software for your business, personal use or to develop a profitable skill. Access to source code provides access to a level of capabilities/information that companies protect though copyrights. Open source is a core component of the Internet and it is available to you. Leverage the billions of dollars in resources and capabilities to build a career, establish a business or change the world. The potential is endless for those who understand the opportunity.

Business Opportunity - Goldman Sachs, IBM and countless large corporations are leveraging open source to reduce costs, develop products and increase their bottom lines. Learn what these companies know about open source and how open source can give you the advantage.

Free Software

Free Software provides computer programs and capabilities at no cost but more importantly, it provides the freedom to run, edit, contribute to, and share the software. The importance of free software is a matter of access, not price. Software at no cost is a benefit but ownership rights to the software and source code is far more significant.

Free Office Software - The Libre Office suite provides top desktop productivity tools for free. This includes, a word processor, spreadsheet, presentation engine, drawing and flowcharting, database and math applications. Libre Office is available for Linux or Windows.

Free Books

The Free Books Library is a collection of thousands of the most popular public domain books in an online readable format. The collection includes great classical literature and more recent works where the U.S. copyright has expired. These books are yours to read and use without restrictions.

Source Code - Want to change a program or know how it works? Open Source provides the source code for its programs so that anyone can use, modify or learn how to write those programs themselves. Visit the GNU source code repositories to download the source.


Study at Harvard, Stanford or MIT - Open edX provides free online courses from Harvard, MIT, Columbia, UC Berkeley and other top Universities. Hundreds of courses for almost all major subjects and course levels. Open edx also offers some paid courses and selected certifications.

Linux Manual Pages - A man or manual page is a form of software documentation found on Linux/Unix operating systems. Topics covered include computer programs (including library and system calls), formal standards and conventions, and even abstract concepts.