ANDwatch monitors Arp (IPv4) and Neighbor Discovery (IPv6) packets, maintains a database of IP address to hardware address (Ethernet) mappings, and issues notifications when the hardware address of an IP address changes.
ANDwatch is intended as a modern replacement for arpwatch. When contrasted with arpwatch, ANDwatch offers the following enhancements:
- Support for IPv6 addresses.
- Support for all IEEE MAC Address Blocks:
- 24 bit Large MAC Address Block MA-L.
- 28 bit Medium MAC Address Block MA-M (new).
- 36 bit Small MAC Address Block MA-S (new).
- Identification of private (locally administered) hardware addresses.
- Allows queries for both current and historical ip / hardware address information.
- Does not use a hardcoded notification mechanism (sendmail).
By default, ANDwatch creates its data files in /var/lib/andwatch. This can be overridden by using the -L option with any of the ANDwatch executables.
Before using ANDwatch, you must create the MAC Address database in the library directory. See ANDwatch update MAC Addresses below for details.
The ANDwatch daemon monitors an interface, maintains the IP address / hardware address map, and provides notifications when the map changes.
The usage of andwatchd is:
andwatchd [-h] [-f] [-s] [-n cmd] [-p file] [-L dir] [-O days] [-P] [-S len] ifname
| Option | Description |
|---|---|
| -h | Display help. |
| -f | Run in foreground. By default, andwatchd runs in the background. |
| -s | Log notifications via syslog rather than stdout. |
| -n | Notify command. |
| -p | Process id file name. |
| -F | Additional pcap filter. |
| -L | Directory for database files (default: /var/lib/andwatch). |
| -O | Number of days before deleting old records (default: 30). |
| -P | Enable promiscuous mode. |
| -S | Snapshot length for pcap (default/minimum: 86). |
ifname is the name of the interface to monitor.
If a notify command is specified, the command will be invoked as:
cmd date_time ifname hostname ipaddr new_hwaddr new_hwaddr_org old_hwaddr old_hwaddr_org
The additional pcap filter may be used to exclude networks or hosts from monitoring. For example, the following:
-F 'not net fe80::0/10 and not net fc00::0/7'