Blog

How to Install and Configure arpwatch A Beginner's Guide

EndTech blog

Arpwatch is a useful network tool that monitors ARP (Address Resolution Protocol) traffic on a network. With it, you can detect potential man-in-the-middle attacks and track changes in the mapping of IP addresses to MAC addresses. It is particularly useful for network administrators who want to ensure the security of their infrastructure.

Installing arpwatch

Debian/Ubuntu-based distributions:

sudo apt install arpwatch

Configuring arpwatch

After installation, arpwatch usually saves logs to the /var/log/arpwatch file. You can customize the program’s behavior by editing the configuration file. Its location may vary depending on the distribution, but it is often found in
/etc/default/arpwatch
or
/etc/sysconfig/arpwatch.

In the configuration file, you can change, among other things:

  • Log file: Specifies which file logs will be written to.
  • Interfaces: Specifies on which network interfaces arpwatch will run.
  • Log verbosity level: Specifies what information will be written to the logs.
  • Filters: You can configure filters to limit the amount of generated logs.

Running arpwatch

To start arpwatch, use the following command:
sudo systemctl start arpwatch

Analyzing logs

The logs generated by arpwatch contain information about changes in the mapping of IP addresses to MAC addresses. You can view them using any text editor or log analysis tool. Example log entry:
2024-11-23 12:34:56: IP 192.168.1.100 at 00:11:22:33:44:55 on eth0
This means that the IP address 192.168.1.100 was assigned to the MAC address 00:11:22:33:44:55 on the eth0 interface.
Scroll to Top