Arpwatch is the best
(or, the arp table is the retina of the minds eye)
I like arpwatch.
For the uninitiated, Arpwatch is a tool which basically reports the appearance of new MAC addresses on a network via email. It also can report whether that MAC address has changed IP address.
Why would you want this? In a previous life it did things like forewarned me that a new member of Engineering staff had configured their new PC to use the same IP address as the default gateway on that subnet.
More recently at home I use it as an early warning if new devices join my wifi network or someone plugs an unknown device into one of my switches.
If you’ve stopped reading at this point, good on you, I wish I could unknow the things I’ve seen but it’s too late for me.
So anyway. Arpwatch continues to be awesome despite lack of ipv6 support but one thing recently made it less awesome. And it’s all the fault of Apple. This will likely not be news to you but in the rapidly developing world of consumer electronics they introduced something call
Bonjour Sleep Proxy which to Arpwatch behaves a lot like a device taking over Mac addresses on your network. Which cases spurious emails to be sent in a spam like manner.
Usually the cause is the presence of an Apple TV on your network.
With the help of “The Cian” I wrote a quick patch for the CentOS/RHEL version of Arpwatch, it’s on github, and you can
find it here.
For you Ubuntu/Debian folks, they’ve already implemented their own patches which allow you to ignore specific stations.