Share your love
Install and Use Arpwatch on AlmaLinux 9: Free Network Monitor

This tutorial intends to teach you to Install and Use Arpwatch on AlmaLinux 9. Arpwatch is an open-source computer software that is used for monitoring Address Resolution Protocol traffic on a computer network. With Arpwatch, you can easily keep a log or database of all Ethernet and IP address pairings. That is a list of all identified IP and MAC address pairings and their corresponding timestamps.
Arpwatch uses pcap to listen to ARP packets on a local network to monitor ARP activity to detect ARP spoofing, network flip-flops, changed and new stations, and address reuse. It also has the option of reporting these changes via email.
Now follow the guide steps below on the Orcacore website to complete the Arpwatch network monitor on AlmaLinux 9.
Table of Contents
Steps To Install and Use Arpwatch on AlmaLinux 9
To complete this guide, you must log in to your server as a non-root user with sudo privileges. To do this, you can follow our guide on Initial Server Setup with AlmaLinux 9.
1. Install the Arpwatch Tool on AlmaLinux 9
Arpwatch packages can be installed on AlmaLinux 9 by using the Epel Repository. First, update your local package index with the following command:
sudo dnf update -y
Then, use the following command to install the Epel repo:
sudo dnf install epel-release -y
Run the system update again:
sudo dnf update -y
Now you can easily use the command below to install Arpwatch:
sudo dnf install arpwatch -y
You can verify your Arpwatch installation on AlmaLinux 9 by checking its version:
arpwatch -V
Output
Version 3.3
2. How To Use Arpwatch Tool?
At this point, you can start to monitor any particular ethernet network interface using Arptwatch on Almalinux 9. The syntax that you can use, is shown below:
arpwatch -i <interface-name>
For example, to monitor the eth0 network interface, you can use the command below:
sudo arpwatch -i eth0
The above command will not show any output instead it sits in the background silently to monitor some changes happening on the network interface. It will save the information as logs at /var/log/messages
You can see the information, by using the command below:
sudo tail -f /var/log/messages
For more information, you can see the Arpwatch Man page:
man arpwatch
Here are some common options for the Arpwatch Tool:
Option | Description |
-d | Run in the foreground (do not daemonize). |
-e email | Specify the email address for notifications. |
-f datafile | Specify the path to the ARP database file (default: /var/lib/arpwatch/ ). |
-i interface | Specify the network interface to monitor (e.g., eth0 , wlan0 ). |
-n net[/width] | Limit monitoring to a specific network or subnet. |
-r file | Read ARP packets from a saved file (e.g., a .pcap file). |
-N | Do not report any new activity (disable notifications for new addresses). |
-u user | Run the process as the specified user. |
The important file location of Arpwatch:
/etc/sysconfig/arpwatch | Key system configuration file for this tool. |
/usr/sbin/arpwatch | The main folder of ArptWatch where its binary is located. |
/var/lib/arpwatch/arp.dat | ARP Dat is a file to store the database of Ethernet MAC addresses seen on the network. |
/var/log/messages | File that logs the details of changes that happen over Ip or mac-address. |
3. Uninstall Arpwatch From AlmaLinux 9
If you no longer want to use Arpwatch, you can easily remove it by using the command below:
sudo dnf remove arpwatch -y
Conclusion
Arpwatch is a network monitoring tool used to track Ethernet and IP address pairings (MAC-to-IP mappings) on a network. At this point, you have learned to Install and Use Arpwatch on AlmaLinux 9.
Hope you enjoy it. Please subscribe to us on Facebook, Twitter, and YouTube.
You may also like these guides:
Set up Siege Stress Tester on AlmaLinux 9
How To Add Swap Space on AlmaLinux 9
Fail2ban configuration AlmaLinux 9
GCC Compiler Setup AlmaLinux 9
Dropbox setup guide AlmaLinux 9
FAQs
How does Arpwatch notify about network changes?
By default, it sends alerts via email to the configured recipient in /etc/sysconfig/arpwatch
.
Can Arpwatch detect ARP spoofing attacks?
Yes, Arpwatch detects ARP spoofing by identifying unexpected changes in MAC-to-IP mappings.