Reduce context-switching for engineers

Self-Hosted AI Code Reviewer

Hexmos LiveReview AI-Powered Code Review
Live Review
AI-Powered Code Review

Arpwatch - Monitor Network IP Address Pairings

Monitor Ethernet/IP address pairings with Arpwatch. Track network changes, receive notifications, and log activity for security and network management.

Arpwatch

Arpwatch Command Examples

Arpwatch is a utility that monitors Ethernet/IP address pairings on a network. It can help detect ARP spoofing and other network anomalies by logging changes in MAC address to IP address mappings. Below are common usage examples:

# arpwatch
# Monitor Ethernet/IP address pairings on the network.

# Start arpwatch in the background to monitor Ethernet/IP address pairings on the default network interface
arpwatch -i eth0 &

# Specify a custom log file to redirect arpwatch's output
arpwatch -i eth0 -f /var/log/arpwatch.log &

# Start arpwatch with a custom email address for sending notifications about changes in address pairings
arpwatch -i eth0 -m admin@example.com &

# Use a different program for sending email notifications instead of the default sendmail
arpwatch -i eth0 -M /path/to/custom/sendmail

# Specify a different file for retrieving previously recorded Ethernet/IP address pairings
arpwatch -i eth0 -r /path/to/old_arp.dat

# Run arpwatch with a custom timeout value for age checking in the activity file
arpwatch -i eth0 -a 3600

# Run arpwatch with a custom timezone setting for timestamps
arpwatch -i eth0 -z UTC

# Enable a specific syslog facility for logging arpwatch messages
arpwatch -i eth0 -s local0

Understanding Arpwatch Functionality

Arpwatch plays a crucial role in network administration and security. By continuously observing ARP (Address Resolution Protocol) traffic, it maintains a database of IP-to-MAC address associations. When a new pairing is detected or an existing one changes, Arpwatch can trigger alerts, making it an invaluable tool for identifying potential security threats like ARP poisoning or unauthorized devices on the network. Its ability to log these changes provides a historical record for forensic analysis and network troubleshooting.

Key Arpwatch Options Explained

The command-line options for Arpwatch offer flexibility in how you monitor your network. The -i flag is essential for specifying the network interface to listen on. The -f option allows you to direct logs to a specific file, which is useful for centralized logging. For immediate notification of suspicious activity, the -m option lets you set an email address to receive alerts. Advanced users can customize the email sending mechanism with -M or manage historical data with -r. The -a option helps in managing the activity file's age, while -z allows for timezone-specific logging, and -s integrates with syslog for system-level logging.

Network Monitoring with Arpwatch

Effective network monitoring is key to maintaining a stable and secure environment. Arpwatch provides a simple yet powerful way to keep an eye on ARP traffic, which is fundamental to how devices communicate on a local network. By understanding the normal IP-to-MAC mappings, administrators can quickly spot deviations that might indicate malicious activity. This tool is particularly useful in environments where network security is paramount, such as corporate networks or sensitive research facilities. Regular review of Arpwatch logs can prevent security breaches and ensure network integrity.

← Back to cmd cheatsheets All cheatsheets 🙏  Credits & Acknowledgments