Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
ARPWATCH(8)		    System Manager's Manual		   ARPWATCH(8)

NAME
       arpwatch	- keep track of	ethernet/ip address pairings

SYNOPSIS
       arpwatch	[ -dNvz	] [ -f datafile	] [ -i interface ]
	       [ -m email ] [ -n net[/width ]] [ -r file ]

DESCRIPTION
       Arpwatch	 keeps	track for ethernet/ip address pairings.	It syslogs ac-
       tivity and reports certain changes via email.  Arpwatch uses pcap(3) to
       listen for arp packets on a local ethernet interface.

       The  -d	flag is	used enable debugging. This also inhibits forking into
       the background and emailing the reports.	 Instead,  they	 are  sent  to
       stderr.

       The  -f	flag is	used to	set the	ethernet/ip address database filename.
       The default is arp.dat.

       The -i flag is used to override the default interface.

       The -m flag specifies the address that will receive  the	 emails.   The
       default is root.

       The  -n flag specifies additional local networks. This can be useful to
       avoid "bogon" warnings when there is more than one network  running  on
       the same	wire. If the optional width is not specified, the default net-
       mask for	the network's class is used.

       The -N flag disables reporting any bogons.

       The -v flag disables reporting on VRRP/CARP ethernet  prefixes  as  de-
       scribed in RFC5798 (00:00:5e:00:01:xx).

       The  -z	flag  disables reporting 0.0.0.0 changes, helpful in busy DHCP
       networks.

       The -r flag is used to specify a	 savefile  (perhaps  created  by  tcp-
       dump(1)	or  pcapture(1)) to read from instead of reading from the net-
       work. In	this case, arpwatch does not fork.

       Note that an empty arp.dat file must be created before the  first  time
       you run arpwatch.

REPORT MESSAGES
       Here's  a  quick	 list  of the report messages generated	by arpwatch(1)
       (and arpsnmp(1)):

       new activity
	      This ethernet/ip address pair has	been used for the  first  time
	      six months or more.

       new station
	      The ethernet address has not been	seen before.

       flip flop
	      The ethernet address has changed from the	most recently seen ad-
	      dress to the second most recently	seen address.  (If either  the
	      old  or  new ethernet address is a DECnet	address	and it is less
	      than 24 hours, the email version of the report is	suppressed.)

       changed ethernet	address
	      The host switched	to a new ethernet address.

SYSLOG MESSAGES
       Here are	some of	the syslog messages; note that messages	that  are  re-
       ported are also sysloged.

       ethernet	broadcast
	      The mac ethernet address of the host is a	broadcast address.

       ip broadcast
	      The ip address of	the host is a broadcast	address.

       bogon  The source ip address is not local to the	local subnet.

       ethernet	broadcast
	      The  source  mac or arp ethernet address was all ones or all ze-
	      ros.

       ethernet	mismatch
	      The source mac ethernet address didn't match the address	inside
	      the arp packet.

       reused old ethernet address
	      The ethernet address has changed from the	most recently seen ad-
	      dress to the third (or greater)  least  recently	seen  address.
	      (This is similar to a flip flop.)

       suppressed DECnet flip flop
	      A	 "flip	flop" report was suppressed because one	of the two ad-
	      dresses was a DECnet address.

FILES
       /usr/local/arpwatch - default directory
       arp.dat - ethernet/ip address database
       ethercodes.dat -	vendor ethernet	block list

SEE ALSO
       arpsnmp(8), arp(8), bpf(4), tcpdump(1), pcapture(1), pcap(3)

AUTHORS
       Craig Leres of the Lawrence Berkeley National  Laboratory  Network  Re-
       search Group, University	of California, Berkeley, CA.

       The current version is available	via anonymous ftp:

	      ftp://ftp.ee.lbl.gov/arpwatch.tar.gz

BUGS
       Please send bug reports to arpwatch@ee.lbl.gov.

       Attempts	 are made to suppress DECnet flip flops	but they aren't	always
       successful.

       Most error messages are posted using syslog.

4th Berkeley Distribution	8 October 2000			   ARPWATCH(8)

NAME | SYNOPSIS | DESCRIPTION | REPORT MESSAGES | SYSLOG MESSAGES | FILES | SEE ALSO | AUTHORS | BUGS

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=arpwatch&sektion=8&manpath=FreeBSD+12.0-RELEASE+and+Ports>

home | help