Install and Use Arpwatch on AlmaLinux 9: Free Network Monitor

This tutorial intends to teach you to Install and Use Arpwatch on AlmaLinux 9. Arpwatch is an open-source computer software that is used for monitoring Address Resolution Protocol traffic on a computer network. With Arpwatch, you can easily keep a log or database of all Ethernet and IP address pairings. That is a list of all identified IP and MAC address pairings and their corresponding timestamps.

Arpwatch uses pcap to listen to ARP packets on a local network to monitor ARP activity to detect ARP spoofing, network flip-flops, changed and new stations, and address reuse. It also has the option of reporting these changes via email.  

Now follow the guide steps below on the Orcacore website to complete the Arpwatch network monitor on AlmaLinux 9.

Steps To Install and Use Arpwatch on AlmaLinux 9

To complete this guide, you must log in to your server as a non-root user with sudo privileges. To do this, you can follow our guide on Initial Server Setup with AlmaLinux 9.

1. Install the Arpwatch Tool on AlmaLinux 9

Arpwatch packages can be installed on AlmaLinux 9 by using the Epel Repository. First, update your local package index with the following command:

sudo dnf update -y

Then, use the following command to install the Epel repo:

sudo dnf install epel-release -y

Run the system update again:

sudo dnf update -y

Now you can easily use the command below to install Arpwatch:

sudo dnf install arpwatch -y

You can verify your Arpwatch installation on AlmaLinux 9 by checking its version:

arpwatch -V
Output
Version 3.3

2. How To Use Arpwatch Tool?

At this point, you can start to monitor any particular ethernet network interface using Arptwatch on Almalinux 9. The syntax that you can use, is shown below:

arpwatch -i <interface-name>

For example, to monitor the eth0 network interface, you can use the command below:

sudo arpwatch -i eth0

The above command will not show any output instead it sits in the background silently to monitor some changes happening on the network interface. It will save the information as logs at /var/log/messages

You can see the information, by using the command below:

sudo tail -f /var/log/messages

For more information, you can see the Arpwatch Man page:

man arpwatch 

Here are some common options for the Arpwatch Tool:

OptionDescription
-dRun in the foreground (do not daemonize).
-e emailSpecify the email address for notifications.
-f datafileSpecify the path to the ARP database file (default: /var/lib/arpwatch/).
-i interfaceSpecify the network interface to monitor (e.g., eth0, wlan0).
-n net[/width]Limit monitoring to a specific network or subnet.
-r fileRead ARP packets from a saved file (e.g., a .pcap file).
-NDo not report any new activity (disable notifications for new addresses).
-u userRun the process as the specified user.

The important file location of Arpwatch:

/etc/sysconfig/arpwatchKey system configuration file for this tool.
/usr/sbin/arpwatchThe main folder of ArptWatch where its binary is located.
/var/lib/arpwatch/arp.datARP Dat is a file to store the database of Ethernet MAC addresses seen on the network.
/var/log/messagesFile that logs the details of changes that happen over Ip or mac-address.

3. Uninstall Arpwatch From AlmaLinux 9

If you no longer want to use Arpwatch, you can easily remove it by using the command below:

sudo dnf remove arpwatch -y

Conclusion

Arpwatch is a network monitoring tool used to track Ethernet and IP address pairings (MAC-to-IP mappings) on a network. At this point, you have learned to Install and Use Arpwatch on AlmaLinux 9.

Hope you enjoy it. Please subscribe to us on Facebook, Twitter, and YouTube.

You may also like these guides:

Set up Siege Stress Tester on AlmaLinux 9

How To Add Swap Space on AlmaLinux 9

Jenkins Setup on AlmaLinux 9

Fail2ban configuration AlmaLinux 9

GCC Compiler Setup AlmaLinux 9

Dropbox setup guide AlmaLinux 9

FAQs

How does Arpwatch notify about network changes?

By default, it sends alerts via email to the configured recipient in /etc/sysconfig/arpwatch.

Can Arpwatch detect ARP spoofing attacks?

Yes, Arpwatch detects ARP spoofing by identifying unexpected changes in MAC-to-IP mappings.

Share your love

Newsletter Updates

Enter your email address below and subscribe to our newsletter

Stay informed and not overwhelmed, subscribe now!