Man page or keyword search:   man All Sections 1 - General Commands 2 - System Calls 3 - Subroutines, Functions 4 - Special Files 5 - File Formats 6 - Games and Screensavers 7 - Macros and Conventions 8 - Maintenence Commands 9 - Kernel Interface New Commands Server 4.4BSD AIX Alpinelinux Archlinux Aros BSDOS BSDi Bifrost CentOS Cygwin Darwin Debian DigitalUNIX DragonFly ElementaryOS Fedora FreeBSD Gentoo GhostBSD HP-UX Haiku Hurd IRIX Inferno JazzOS Kali Knoppix LinuxMint MacOSX Mageia Mandriva Manjaro Minix MirBSD NeXTSTEP NetBSD OPENSTEP OSF1 OpenBSD OpenDarwin OpenIndiana OpenMandriva OpenServer OpenSuSE OpenVMS Oracle PC-BSD Peanut Pidora Plan9 QNX Raspbian RedHat Scientific Slackware SmartOS Solaris SuSE SunOS Syllable Tru64 UNIXv7 Ubuntu Ultrix UnixWare Xenix YellowDog aLinux   17783 pages apropos Keyword Search (all sections) Output format html ascii pdf view pdf save postscript

ARPWATCH(8)							   ARPWATCH(8)

NAME
       arpwatch - keep track of ethernet/ip address pairings

SYNOPSIS
       arpwatch [ -dNw ] [ -f datafile ] [ -i interface ]
		[ -n net[/width ]] [ -r file ] [ -u username ] [ -e username ]
       [ -s username ]

DESCRIPTION
       Arpwatch keeps track  for  ethernet/ip  address	pairings.  It  syslogs
       activity	 and reports certain changes via email.	 Arpwatch uses pcap(3)
       to listen for arp packets on a local ethernet interface.

       The -d flag is used enable debugging. This also inhibits	 forking  into
       the  background	and  emailing  the  reports. Instead, they are sent to
       stderr.

       The -f flag is used to set the ethernet/ip address  database  filename.
       The default is arp.dat.

       The -i flag is used to override the default interface.

       The  -n flag specifies additional local networks. This can be useful to
       avoid "bogon" warnings when there is more than one network  running  on
       the same wire. If the optional width is not specified, the default net‐
       mask for the network's class is used.

       The -N flag disables reporting any bogons.

       The -w flag is used to  specify	an  interface  without	a  valid  IPv4
       address.

       The  -r	flag  is  used	to specify a savefile (perhaps created by tcp‐
       dump(1) or pcapture(1)) to read from instead of reading from  the  net‐
       work. In this case, arpwatch does not fork.

       If  -u flag is used, arpwatch drops root privileges and changes user ID
       to username and group ID to that of  the	 primary  group	 of  username.
       This is recommended for security reasons.

       If  the	-e  flag  is  used, arpwatch sends e-mail messages to username
       rather than the default (root).	If a single `-' character is given for
       the  username,  sending of e-mail is suppressed, but logging via syslog
       is still done as usual.	(This can be useful during  initial  runs,  to
       collect data without being flooded with messages about new stations.)

       If the -s flag is used, arpwatch sends e-mail messages with username as
       the return address, rather than the default (root).

       Note that an empty arp.dat file must be created before the  first  time
       you  run	 arpwatch.   Also,  the	 default  directory  (where arp.dat is
       stored) must be owned by username if -u flag is used.

REPORT MESSAGES
       Here's a quick list of the report  messages  generated  by  arpwatch(1)
       (and arpsnmp(1)):

       new activity
	      This  ethernet/ip	 address pair has been used for the first time
	      six months or more.

       new station
	      The ethernet address has not been seen before.

       flip flop
	      The ethernet address has changed from  the  most	recently  seen
	      address  to  the	second most recently seen address.  (If either
	      the old or new ethernet address is a DECnet address  and	it  is
	      less  than  24  hours,  the  email version of the report is sup‐
	      pressed.)

       changed ethernet address
	      The host switched to a new ethernet address.

SYSLOG MESSAGES
       Here are some of the syslog  messages;  note  that  messages  that  are
       reported are also sysloged.

       ethernet broadcast
	      The mac ethernet address of the host is a broadcast address.

       ip broadcast
	      The ip address of the host is a broadcast address.

       bogon  The source ip address is not local to the local subnet.

       ethernet broadcast
	      The  source  mac	or  arp	 ethernet  address was all ones or all
	      zeros.

       ethernet mismatch
	      The source mac ethernet address didn't match the address	inside
	      the arp packet.

       reused old ethernet address
	      The  ethernet  address  has  changed from the most recently seen
	      address to the third (or greater) least recently	seen  address.
	      (This is similar to a flip flop.)

       suppressed DECnet flip flop
	      A	 "flip	flop"  report  was  suppressed	because one of the two
	      addresses was a DECnet address.

FILES
       /usr/operator/arpwatch - default directory
       arp.dat - ethernet/ip address database
       ethercodes.dat - vendor ethernet block list

SEE ALSO
       arpsnmp(8), arp(8), bpf(4), tcpdump(1), pcapture(1), pcap(3)

AUTHORS
       Craig Leres of the Lawrence Berkeley National  Laboratory  Network  Re‐
       search Group, University of California, Berkeley, CA.

       The current version is available via anonymous ftp:

	      ftp://ftp.ee.lbl.gov/arpwatch.tar.gz

BUGS
       Please send bug reports to arpwatch@ee.lbl.gov.

       Attempts	 are made to suppress DECnet flip flops but they aren't always
       successful.

       Most error messages are posted using syslog.

4th Berkeley Distribution	8 October 2000			   ARPWATCH(8)

Vote for polarhome