-d is used enable debugging. This also inhibits forking into the background and emailing the reports. Instead, they are sent to stdout.
-f is used to set the ethernet/ip address database filename. The default is arp.dat.
-i is used to override the default interface.
-n specifies additional local networks. This can be useful to avoid "bogon" warnings when there is more than one network running on the same wire. If the optional width is not specified, the default netmask for the network's class is used.
-N disables reporting any bogons; see option -n.
-r is used to specify a savefile (perhaps created by tcpdump(1) or pcapture(1)) to read from instead of reading from the network. In this case, arpwatch does not fork.
-m selects the output mode (report mode). Currently, 0 means the old mode (via sendmail), 1 is a simple stdout mode and arpwatch will not fork into the background. 2 means raw mode, where the fields are separated by a ",". Default is 0.
-p flag disables promiscuous operation. ARP broadcasts get through hubs without having the interface in promiscuous mode, while saving considerable resources that would be wasted on processing gigabytes of non-broadcast traffic. OTOH, setting promiscuous mode does not mean getting 100% traffic that would concern arpwatch.
-P option allows to specify a pcap filter expression for the traffic that will be watched by arpwatch. Prepended will be "(arp or rarp) and" to select only the ARP traffic. For expression please see tcpdump(8). Expressions must be enclosed in quotation marks ("").
Example: arpwatch -P "src net 10.20.23.0/24"
-s flag is used to specify the path to the sendmail program. Any program that takes the option -odi and then text from stdin can be substituted. This is useful for redirecting reports to log files instead of mail
-F option is used to specify From: field of the report message. By default arpwatch.
-t option is used to specify the e-mail address to which reports will be sent. By default, reports are sent to root on the local machine.
-u instructs arpwatch to drop root privileges and change the UID to username and GID to the primary group of username. This is recommended for security reasons, but username has to have write access to the default directory.
Note that an empty arp.dat file must be created before the first time you run arpwatch.
/usr/operator/arpwatch - default directory arp.dat - ethernet/ip address database ethercodes.dat - vendor ethernet block list
Craig Leres of the Lawrence Berkeley National Laboratory Network Research Group, University of California, Berkeley, CA.
The old arpwatch is available via anonymous ftp:
Numerous Debian vendor patches were merged, thanks to Peter Kelemen
arpwatch NG versions are announced at:
Most error messages are posted using syslog.