Provided by: arpwatch_2.1a15-2_i386 bug


       arpwatch - keep track of ethernet/ip address pairings


       arpwatch [ -dN ]
               [ -f datafile ]
               [ -i interface ]
               [ -n net[/width ]]
               [ -r file ]
               [ -s sendmail_path ]
               [ -p ]
               [ -a ]
               [ -m addr ]
               [ -u username ]
               [ -R seconds ]
               [ -Q ]
               [ -z ignorenet/ignoremask ]


       Arpwatch  keeps  track  for  ethernet/ip  address  pairings. It syslogs
       activity and reports certain changes via email.  Arpwatch uses  pcap(3)
       to listen for arp packets on a local ethernet interface.

       The  -d  flag is used enable debugging. This also inhibits forking into
       the background and emailing the reports.  Instead,  they  are  sent  to

       The  -f  flag is used to set the ethernet/ip address database filename.
       The default is arp.dat.

       The -i flag is used to override the default interface.

       The -n flag specifies additional local networks. This can be useful  to
       avoid  "bogon"  warnings when there is more than one network running on
       the same wire. If the optional width  is  not  specified,  the  default
       netmask for the network's class is used.

       The -N flag disables reporting any bogons.

       The  -r  flag  is  used  to  specify  a  savefile  (perhaps  created by
       tcpdump(1) or pcapture(1)) to read from instead  of  reading  from  the
       network. In this case, arpwatch does not fork.

       (Debian)  The  -s  flag  is  used  to  specify the path to the sendmail
       program.  Any program that takes the option -odi  and  then  text  from
       stdin can be substituted. This is useful for redirecting reports to log
       files instead of mail.

       (Debian) The -p flag disables promiscuous  operation.   ARP  broadcasts
       get  through  hubs  without  having  the interface in promiscuous mode,
       while saving considerable resources that would be wasted on  processing
       gigabytes  of  non-broadcast  traffic.   OTOH, setting promiscuous mode
       does not mean getting 100% traffic that would concern arpwatch .  YMMV.

       (Debian) -a By default, arpwatch reports bogons (unless  -N  is  given)
       for  IP addresses that are in the same subnet than the first IP address
       of the default interface.  If this option is specified,  arpwatch  will
       report bogons about every IP addresses.

       (Debian)  The  -m option is used to specify the e-mail address to which
       reports will be sent.  By default, reports are  sent  to  root  on  the
       local machine.

       (Debian)  The  -u  flag  instructs arpwatch to drop root privileges and
       change the UID to username and GID to the primary group of  username  .
       This  is  recommended  for  security  reasons, but username has to have
       write access to the default directory.

       (Debian) The -R flag instructs arpwatch to restart in  seconds  seconds
       after  the  interface  went  down.   By default, in such cases arpwatch
       would print an error message and  exit.   This  option  is  ignored  if
       either the -r or -u flags are used.

       (Debian) The -Q flags prevents arpwatch from sending reports by mail.

       (Debian)  The  -z flag is used to set a range of ip addresses to ignore
       (such as a DHCP range). Netmask is specified as

       Note that an empty arp.dat file must be created before the  first  time
       you run arpwatch.


       Here's  a  quick  list  of the report messages generated by arpwatch(1)
       (and arpsnmp(1)):

       new activity
              This ethernet/ip address pair has been used for the  first  time
              six months or more.

       new station
              The ethernet address has not been seen before.

       flip flop
              The  ethernet  address  has  changed from the most recently seen
              address to the second most recently seen  address.   (If  either
              the  old  or  new ethernet address is a DECnet address and it is
              less  than  24  hours,  the  email  version  of  the  report  is

       changed ethernet address
              The host switched to a new ethernet address.


       Here  are  some  of  the  syslog  messages; note that messages that are
       reported are also sysloged.

       ethernet broadcast
              The mac ethernet address of the host is a broadcast address.

       ip broadcast
              The ip address of the host is a broadcast address.

       bogon  The source ip address is not local to the local subnet.

       ethernet broadcast
              The source mac or arp ethernet  address  was  all  ones  or  all

       ethernet mismatch
              The  source mac ethernet address didn't match the address inside
              the arp packet.

       reused old ethernet address
              The ethernet address has changed from  the  most  recently  seen
              address  to  the third (or greater) least recently seen address.
              (This is similar to a flip flop.)

       suppressed DECnet flip flop
              A "flip flop" report was  suppressed  because  one  of  the  two
              addresses was a DECnet address.


       /var/lib/arpwatch - default directory
       arp.dat - ethernet/ip address database
       /usr/share/arpwatch/ethercodes.dat - vendor ethernet block list


       arpsnmp(8), arp(8), bpf(4), tcpdump(1), pcapture(1), pcap(3)


       Craig  Leres  of  the  Lawrence  Berkeley  National  Laboratory Network
       Research Group, University of California, Berkeley, CA.

       The current version is available via anonymous ftp:



       Please send bug reports to

       Attempts are made to suppress DECnet flip flops but they aren't  always

       Most error messages are posted using syslog.