Getting notified when new hosts appear on your network

I had to debug an interesting network problem a few weeks back, and wanted to see when new hosts appeared on my network. While debugging the issue, I needed to find a way to get notified when a new host appeared (I didn’t want to sit at a terminal reviewing the output from snoop and tcpdump). Enter arpwatch, which can be used to send alerts the first time a client issues an ARP request. This is actually quite handy, and the alerts you get my e-mail are rather useful:

$ arpwatch -i br0

From: root (Arpwatch)
To: root
Subject: new station

            hostname: foo.bar.com
          ip address: 192.168.1.18
    ethernet address: 0:1c:b3:c2:80:2f
     ethernet vendor: 
           timestamp: Friday, April 30, 2010 23:07:32 -0400

There are a slew of options to control who gets the e-mail, whether to use a saved packet capture instead of an active network connection, etc. Arpwatch is a pretty cool tool, and saved me a lot of time and hassle!

matty on June 5, 2010 | Filed Under Linux Utilities, Networking

3 Comments

SUNWfrk  on June 5th, 2010

Very nice tool, so simple but also so helpful

VanCano  on June 7th, 2010

Thank you for sharing this very useful tool!

João Pedro Pereira  on June 10th, 2010

Very useful, thanks for sharing ;)

Leave a Comment