Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
ARPWATCH(8)		FreeBSD	System Manager's Manual		   ARPWATCH(8)

     arpwatch -- keep track of ethernet/ip address pairings

     arpwatch [-CdFNpqsvzZ] [-D	arpdir]	[-f datafile] [-i interface]
	      [-P pidfile] [-w watcher@email] [-W watchee@email]
	      [-n net[/width]] [-x net[/width]]	[-r file]

     arpwatch keeps track of ethernet/ip address pairings. It syslogs activity
     and reports certain changes via email.  arpwatch uses pcap(3) to listen
     for arp packets on	a local	ethernet interface.

     The -C flag uses compact padded ethernet addresses	in arp.dat, e.g.

     The -d flag is used enable	debugging. This	also inhibits forking into the
     background	and emailing the reports. Instead, they	are sent to stderr.

     The -D flag is used to specify the	arpwatch working directory. This de-
     faults to /usr/local/arpwatch.

     The -f flag is used to set	the ethernet/ip	address	database filename.
     The default is arp.dat.

     The -F flag is prevents arpwatch from forking causing it to run in	the

     The -i flag is used to override the default interface.

     The -n flag specifies additional local networks. This can be useful to
     avoid "bogon" warnings when there is more than one	network	running	on the
     same wire.	If the optional	width is not specified,	the default netmask
     for the network's class is	used.

     The -N flag disables reporting any	bogons.

     The -p flag disables promiscuous mode.

     The -P flag specifies the pidfile.

     The -q flag suppresses reports being logged or printed to stderr.

     The -r flag is used to specify a savefile (perhaps	created	by tcpdump(1)
     or	pcapture(1)) to	read from instead of reading from the network. In this
     case arpwatch does	not fork.

     Note that an empty	arp.dat	file must be created before the	first time you
     run -arpwatch.

     The -s flag suppresses reports sent by email.

     The -v flag disables the reporting	of VRRP/CARP ethernet prefixes as de-
     scribed in	RFC5798	(00:00:5e:00:01:xx).

     The -w flag is used to specify the	target address for email reports. The
     default is	root.

     The -W flag is used specifies the from address for	email reports. The de-
     fault is root.

     The -z flag disables reporting changes, helpful in	busy DHCP-
     served networks.

     The -Z flag (default) uses	zero padded ethernet addresses in arp.dat,
     e.g. 00:08:e1:01:02:d6.

     Here's a quick list of the	report messages	generated by arpwatch(1) (and

     new activity
	  This ethernet/ip address pair	has been used for the first time six
	  months or more.

     new station
	  The ethernet address has not been seen before.

     flip flop
	  The ethernet address has changed from	the most recently seen address
	  to the second	most recently seen address.  (If either	the old	or new
	  ethernet address is a	DECnet address and it is less than 24 hours,
	  the email version of the report is suppressed.)

     changed ethernet address
	  The host switched to a new ethernet address.

     Here are some of the syslog messages; note	that messages that are re-
     ported are	also sysloged.

     ethernet broadcast
	  The mac ethernet address of the host is a broadcast address.

     ip	broadcast
	  The ip address of the	host is	a broadcast address.

	  The source ip	address	is not local to	the local subnet.

     ethernet broadcast
	  The source mac or arp	ethernet address was all ones or all zeros.

     ethernet mismatch
	  The source mac ethernet address didn't match the address inside the
	  arp packet.

     reused old	ethernet address
	  The ethernet address has changed from	the most recently seen address
	  to the third (or greater) least recently seen	address.  (This	is
	  similar to a flip flop.)

     suppressed	DECnet flip flop
	  A "flip flop"	report was suppressed because one of the two addresses
	  was a	DECnet address.

     /usr/local/arpwatch  default directory
     arp.dat		  default ethernet/ip address database
     ethercodes.dat	  vendor ethernet block	list

     arpsnmp(8), arp(8), bpf(4), tcpdump(1), pcapture(1), pcap(3)

     Craig Leres of the	Lawrence Berkeley National Laboratory Network Research
     Group, University of California, Berkeley,	CA.

     The current version is available via anonymous ftp:

     Please send bug reports to	<>.

     Attempts are made to suppress DECnet flip flops but they aren't always

     Most error	messages are posted using syslog.

				1 December 2019


Want to link to this manual page? Use this URL:

home | help