Linux HOWTOs

About | Home | Search


HOWTO: arpwatch
Description: Ethernet monitor program; for keeping track of ethernet/ip address pairings
Click here for ChangeLog
NOTE: I use GNU tar >= 1.13.25 so it's -j for .tar.bz2 files,
it's safe to assume that make, gcc, binutils, fileutils/coreutils, gawk, sed, and grep are prerequisites for almost everything


# arpwatch 2.1a15
# ===============
# According to the ChangeLog, other than 2.1a15 in June 2006, arpwatch
# hadn't been updated since 1997.  If you're looking for something in
# active development (or at least something with more recent development),
# check out arpwatch-ng.
#
# I use -ng now, so any further updates to this howto will most likely just
# be updates to the tarball file name if new versions are released.  I
# haven't tried my patch below since 2.1a13

# Prerequisites:
# libpcap

cd
test -f installed/arpwatch-2.1a15.tar.gz &&
 mv installed/arpwatch-2.1a15.tar.gz .
test ! -f arpwatch-2.1a15.tar.gz &&
 wget ftp://ftp.ee.lbl.gov/arpwatch-2.1a15.tar.gz
mkdir -p -m 0700 src
cd src
find -maxdepth 1 -type d -name "arpwatch-*" -exec rm -r {} \;
tar xzvf ~/arpwatch-2.1a15.tar.gz
cd arpwatch-2.1a15
test $UID = 0 && chown -R root:root .
chmod -R u+w .

# If you're going to run it on multiple interfaces, you might want to try
# my patch that changes the program name in syslog to something like
# arpwatch-int0 so you know which interface the logging is about
# (if not, skip this part).
wget -nc http://englanders.cc/pub/linux/patches/\
arpwatch-2.1a11-log_with_interface.patch &&
 patch -p1 < ./arpwatch-2.1a11-log_with_interface.patch

./configure

# If you want the e-mails to go to an e-mail address other than root
# (like an arpwatch alias that goes to multiple people...), open up
# addresses.h and change it in there.

make

# Become root to install it
su

install -m 500 -o bin -g bin arpsnmp arpwatch /usr/local/sbin/
install -m 444 arpsnmp.8 arpwatch.8 /usr/local/man/man8/
install -d -m 700 /usr/local/arpwatch
install -m 600 ethercodes.dat /usr/local/arpwatch/

## Add something like this to /etc/rc.d/rc.local to start rc.arpwatch:
# if [ -x /etc/rc.d/rc.arpwatch ]; then
#   /etc/rc.d/rc.arpwatch start
# fi

# ...and grab rc.arpwatch:
cd /etc/rc.d
test -f rc.arpwatch && mv -f rc.arpwatch rc.arpwatch.old &&
 chmod 600 rc.arpwatch.old
wget http://englanders.cc/pub/linux/misc/rc.arpwatch
test -f rc.arpwatch && chmod 700 rc.arpwatch

# If you ever want to update /usr/local/arpwatch/ethercodes.dat, you can
# update it from the info in nmap's nmap-mac-prefixes file, or from
# http://standards.ieee.org/regauth/oui/oui.txt,
# though keep in mind that you'll have to convert the format to arpwatch's
# ethercodes.dat format.

# Become yourself again
exit

cd
mkdir -p -m 0700 installed
rm -f installed/arpwatch-*.tar.*
mv arpwatch-2.1a15.tar.gz installed/

Back to the list


Last updated: Wed, 29 Apr 2020 22:04:50 -0400
Jason Englander <jason at englanders dot us>