NOTE: this add-on was released in Core Update 197.
Monitoring tool for ARP traffic on a network
Arpwatch monitors network traffic activity, including IP/MAC address changes. It maintains a database of address pairings. Arpwatch logs IP/MAC address pairings with timestamps, allowing you to track network activity. Arpwatch can be configured to send email reports to network administrators when IP/MAC address pairings are added or changed.
Installation
arpwatch is installed with the Pakfire web interface or via the console:
pakfire install arpwatch
Configuration
The configuration file has to be created at /etc/sysconfig/arpwatch. Example of items in config file:
# Interface to monitor
INTERFACES="green0 blue0"
# Email address to send alerts to
WATCHER=hostmaster@somewhere.example.com
# Sender email address
WATCHEE=hostmaster@somewhere.example.com
After saving the file, then do a restart:
/etc/init.d/arpwatch restart
The INTERFACES line is a space separated string of the interfaces to be monitored on your IPFire system.
The arpwatch initscript automatically creates a separate ARP database file for each interface that is specified.
Usage
There is no web interface for this add-on. To view arpwatch in the message log open the client console or terminal, and enter::
grep --color arpwatch /var/log/messages
# or
tail --follow /var/log/messages | grep --color arpwatch # follow
Example output in message log:
Sep 20 15:19:34 ipfire arpwatch: listening on green0
Sep 20 15:19:34 ipfire arpwatch: listening on blue0
. . .
Sep 20 15:19:35 ipfire arpwatch: new station 192.168.65.230 d8:d5:re:da:ct:8f
Sep 20 15:19:35 ipfire arpwatch: new station 192.168.65.1 0:d:re:da:ct:da
Sep 20 15:19:36 ipfire arpwatch: new station 192.168.65.225 d8:3a:re:da:ct:c2
Sep 20 15:19:39 ipfire arpwatch: new station 192.168.65.227 0:d6:re:da:ct:7