I had to debug an interesting network problem a few weeks back, and wanted to see when new hosts appeared on my network. While debugging the issue, I needed to find a way to get notified when a new host appeared (I didn’t want to sit at a terminal reviewing the output from snoop and tcpdump). Enter arpwatch, which can be used to send alerts the first time a client issues an ARP request. This is actually quite handy, and the alerts you get my e-mail are rather useful:
arpwatch -i br0
From: root (Arpwatch) To: root Subject: new station hostname: foo.bar.com ip address: 192.168.1.18 ethernet address: 0:1c:b3:c2:80:2f ethernet vendor: timestamp: Friday, April 30, 2010 23:07:32 -0400
There are a slew of options to control who gets the e-mail, whether to use a saved packet capture instead of an active network connection, etc. Arpwatch is a pretty cool tool, and saved me a lot of time and hassle!