Arpdwatch is a small but useful console utility for tracking changes in the ARP table. It is intended for administrators who need to monitor which devices are on the local network and whether suspicious changes are taking place there.
To understand the value of this tool, you need to remember what ARP (Address Resolution Protocol) is. It is a protocol that binds IP addresses to MAC addresses within the same local network. When a computer wants to send data to a specific IP, it looks at its ARP table and finds out which MAC address belongs to that IP.
The problem is that ARP does not have built-in protection. This makes possible attacks like ARP-spoofing — when an attacker sends fake ARP responses, forcing your computer to believe that, for example, the gateway IP address belongs to the attacker. As a result, traffic may be intercepted or modified.
Arpdwatch solves the problem in a simple way — it tracks changes in the ARP table and reports when the MAC address has changed for a particular IP or a new device has appeared on the network.
Installation
In Ubuntu and Debian:
sudo apt install arpdwatch
In CentOS, Fedora, Rocky Linux:
If the package is not found, you can download the source code from the official repository of the project and build it manually.:
cd arpdwatch
make
sudo make install
Basic usage
To start monitoring a specific interface, for example eth0:
Output example:
[12:05:47] New device: 192.168.1.25 -> aa\:bb\:cc\:dd\:ee\:ff
You will immediately see when the IP has changed MAC or a new device has appeared on the network.
To write everything to a log file for later analysis:
Background mode and long-term monitoring
If you want arpdwatch to work all the time, you can run it in screen or tmux.:
sudo arpdwatch -i eth0
# To exit the screen: Ctrl+A, then D
You can also create a systemd service so that the utility starts automatically when the system starts. This is useful for servers that are constantly connected to the network.
Practical application
- Detection of ARP-spoofing attacks, for example, in a corporate network where an attacker is trying to intercept traffic.
- Network inventory is an easy way to find out which devices appear in a segment and when.
- Monitoring network changes is used to diagnose unstable connections or search for "left" access points.
However, you need to understand that this is not a full-fledged security system. arpdwatch does not block attacks, but only notifies of changes, so you will have to react manually or in conjunction with other tools.
arpdwatch is a lightweight and convenient utility for administrators who need a quick way to monitor the ARP table in real time. It is easy to install, does not require complex configuration and can work in the background, recording changes in the network.
It's a great tool for basic control. And if you add it to the monitoring system, you can learn about potential threats and "surprises" on the local network in time.