Linux commands for system administrators

ARP and arpwatch in Linux

| ARP |

| arpwatch |

1. What Is ARP?

ARP (Address Resolution Protocol) is used to associate a device's IP address with its MAC address in local area networks (LANs). It maintains an ARP table that Linux systems use for efficient layer 2 packet routing.

2. Viewing the ARP Table

Use arp or ip neigh to inspect the table:

arp -a

ip neigh show

If arp is missing, install:

sudo apt install net-tools

3. Flushing the ARP Table

Clear cached entries:

sudo ip -s -s neigh flush all

4. What Is arpwatch?

arpwatch is a monitoring daemon that watches ARP activity and logs changes—such as new MAC addresses appearing or IPs switching hardware. It's useful for detecting network anomalies and ARP spoofing attempts.

5. Installing arpwatch

sudo apt install arpwatch        # Debian / Ubuntu

sudo yum install arpwatch        # CentOS / RHEL

6. Running arpwatch

Start monitoring a specific interface (e.g., eth0):

sudo arpwatch -i eth0 -f /var/lib/arpwatch/arp.dat

Optional: send alert emails

sudo arpwatch -i eth0 -e [email protected]

7. Log and Data File Locations

/var/lib/arpwatch/arp.dat: ARP database
/var/log/syslog: Event logs on Debian
/var/log/messages: Event logs on Red Hat/CentOS

8. Sample Output

New device:

arpwatch: new station 192.168.1.20 [00:11:22:33:44:55] on eth0

MAC change for existing IP:

arpwatch: changed ethernet address for 192.168.1.20 from 00:11:22:AA:BB to 00:11:22:33:44:55

9. Use Cases

Detect unauthorized devices on the LAN
Track MAC/IP address changes
Monitor and prevent ARP spoofing attempts
Audit historical device connections over time

10. Security Considerations

Run with root privileges to access network interfaces
On DHCP networks, expect frequent MAC/IP changes
Secure SMTP/email alerts to avoid abuse

11. Conclusion

arp and arpwatch are valuable Linux tools for local network diagnostics and security. Monitoring ARP behavior can reveal hidden changes in network structure, assist with asset tracking, and mitigate spoofing threats. They're especially important in sensitive networks and data centers.