LogoفارسیFA

Part of the series

Linux commands for system administrators

~2 min read • Updated Jul 21, 2025

1. What Is ARP?


ARP (Address Resolution Protocol) is used to associate a device's IP address with its MAC address in local area networks (LANs). It maintains an ARP table that Linux systems use for efficient layer 2 packet routing.


2. Viewing the ARP Table


Use arp or ip neigh to inspect the table:

arp -a
ip neigh show

If arp is missing, install:

sudo apt install net-tools

3. Flushing the ARP Table


Clear cached entries:

sudo ip -s -s neigh flush all

4. What Is arpwatch?


arpwatch is a monitoring daemon that watches ARP activity and logs changes—such as new MAC addresses appearing or IPs switching hardware. It's useful for detecting network anomalies and ARP spoofing attempts.


5. Installing arpwatch


sudo apt install arpwatch        # Debian / Ubuntu
sudo yum install arpwatch        # CentOS / RHEL

6. Running arpwatch


Start monitoring a specific interface (e.g., eth0):

sudo arpwatch -i eth0 -f /var/lib/arpwatch/arp.dat

Optional: send alert emails

sudo arpwatch -i eth0 -e [email protected]

7. Log and Data File Locations


  • /var/lib/arpwatch/arp.dat: ARP database
  • /var/log/syslog: Event logs on Debian
  • /var/log/messages: Event logs on Red Hat/CentOS

8. Sample Output


New device:

arpwatch: new station 192.168.1.20 [00:11:22:33:44:55] on eth0

MAC change for existing IP:

arpwatch: changed ethernet address for 192.168.1.20 from 00:11:22:AA:BB to 00:11:22:33:44:55

9. Use Cases


  • Detect unauthorized devices on the LAN
  • Track MAC/IP address changes
  • Monitor and prevent ARP spoofing attempts
  • Audit historical device connections over time

10. Security Considerations


  • Run with root privileges to access network interfaces
  • On DHCP networks, expect frequent MAC/IP changes
  • Secure SMTP/email alerts to avoid abuse

11. Conclusion


arp and arpwatch are valuable Linux tools for local network diagnostics and security. Monitoring ARP behavior can reveal hidden changes in network structure, assist with asset tracking, and mitigate spoofing threats. They're especially important in sensitive networks and data centers.


Written & researched by Dr. Shahin Siami

Next SubArticle