On Monday 20 May 2002 6:21 pm, Ramin Alidousti wrote: > How does arpwatch work?
arpwatch is basically a packet sniffer for a specific protocol - arp. It simply listens on the network to arp requests and responses, and as you surmise, builds up a table of MAC address, IP address and timestamp. As far as I know, it builds up the information only from arp responses (ie it doesn't do anything with a request which does not get responded to), and it keeps the timestamp data so it can add a bit more to its logfile entries & alerts to let you know if a machine which has been quiet for a few days, or weeks, or months, suddenly comes back on the scene again. It regards 'spoofing' as a MAC address claiming to have a different IP address from the one it had last time, or claiming to have an IP address which arpwatch thinks belongs to some other MAC address. You can over-ride its behaviour in this respect if you have some machines which really do have multiple IPs for a single MAC. Antony.
