arpsnmp keeps track of ethernet/ip address pairings. It syslogs activity and reports certain changes via email. arpsnmp reads information from a file (usually generated by snmpwalk(1)).
The format of the input file is the same as arp.dat; the mac address, ip address, optional timestamp and optional simple hostname. If the timestamp is missing, the current date is used.
arpsnmp can also be used to merge files. If the same ethernet/ip address pair occurs in more than one file, the timestamp from the last seen is saved.
-C flag uses compact padded ethernet addresses in arp.dat, e.g. 0:8:e1:1:2:d6.
-d flag is used enable debugging. This also inhibits mailing the reports. Instead, they are sent to stderr.
-D flag is used to specify the working directory. This defaults to /var/lib/arpwatch.
-f flag is used to set the ethernet/ip address database filename. The default is arp.dat.
Note that an empty file must be created before the first time you run
-q flag suppresses reports being logged or printed to stderr.
-s flag suppresses reports sent by email.
-w flag is used to specify the target address for email reports. The default is root.
-W flag is used specifies the from address for email reports. The default is root.
-Z flag uses zero padded ethernet addresses in arp.dat, e.g. 00:08:e1:01:02:d6.
See the arpwatch(8) man page for details on the report messages generated by arpsnmp(8).
default ethernet/ip address database
vendor ethernet block list
arpwatch(8), snmpwalk(1), arp(8),
Craig Leres of the Lawrence Berkeley National Laboratory Network Research Group, University of California, Berkeley, CA.
The current version is available via anonymous ftp:
Please send bug reports to ⟨firstname.lastname@example.org⟩.
It doesn't make any sense to feed arpsnmp the arp.dat file.
Attempts are made to suppress DECnet flip flops but they aren't always successful.