To actively probe each IP address in your local network to obtain its MAC address use another program like getethers (use Archie to find the current location of getethers) or just ping the broadcast address.
Arpwatch does not send any ARP requests or replies on the wire. Arpwatch assumes sendmail has been installed and configured and exists as /usr/lib/sendmail.
Installing arpwatch data files
mkdir -p /usr/operator/arpwatch touch /usr/operator/arpwatch/arp.dat cp ethercodes.dat /usr/operator/arpwatch arpwatcharpwatch logs any failures or unusual events to /usr/adm/syslog in addition to sending root mail. Errors have logging level arpwatch.error while all others are arpwatch.info.
If arpwatch sees a frame from outside your PCAP_IPMASK it will append a "bogon" message to syslog. If arpwatch detects a new machine or a NIC with a new IP address it will send mail to root similar to the following:
From root Tue Sep 12 21:05:50 1995
Received: (root@localhost) by monitor.sco.com (8.6.8.1/SCA-6.6)
id VAA02025 for root; Tue, 12 Sep 1995 21:05:50 GMT
Return-Path:
Date: Tue, 12 Sep 1995 21:05:50 GMT
Message-Id: <199509122105.VAA02025@monitor.sco.com>
From: arpwatch (Arpwatch)
To: root
Subject: new station (xxx.uss.sco.COM)
hostname: xxx.uss.sco.COM
ip address: 132.147.2.123
ethernet address: 2:60:8c:ab:f5:78
ethernet vendor: 3Com IBM PC; Imagen; Valid; Cisco; Macintosh
timestamp: Tuesday, September 12, 1995 14:05:50 -224178912 (PDT)
arpwatch writes new entries to /usr/operator/arpwatch/arp.dat.
If you have two NICs on the same network and PCAP_IPADDR/PCAP_IPMASK on the
second NIC are the same as the IP address and netmask on the other NIC,
ping the broadcast address of the first NIC.
This will quickly fill up the arp cache on the local machine (arp -a to view)
as well as /usr/operator/arpwatch/arp.dat.
Lastly, if there is a flurry of activity that causes arpwatch to invoke sendmail many times in rapid succession, arpwatch instructs sendmail to queue the mail for delivery at a later date. This minimizes the load on the machine.
Legal Stuff
-----------
/*
* Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that: (1) source code distributions
* retain the above copyright notice and this paragraph in its entirety, (2)
* distributions including binary code include the above copyright notice and
* this paragraph in its entirety in the documentation or other materials
* provided with the distribution, and (3) all advertising materials mentioning
* features or use of this software display the following acknowledgement:
* ``This product includes software developed by the University of California,
* Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
* the University nor the names of its contributors may be used to endorse
* or promote products derived from this software without specific prior
* written permission.
*
* Bootstrap Protocol (BOOTP). RFC951 and RFC1048.
*
* This file specifies the "implementation-independent" BOOTP protocol
* information which is common to both client and server.
*
* Copyright 1988 by Carnegie Mellon.
*
* Permission to use, copy, modify, and distribute this program for any
* purpose and without fee is hereby granted, provided that this copyright
* and permission notice appear on all copies and supporting documentation,
* the name of Carnegie Mellon not be used in advertising or publicity
* pertaining to distribution of the program without specific prior
* permission, and notice be given in supporting documentation that copying
* and distribution is by permission of Carnegie Mellon and Stanford
* University. Carnegie Mellon makes no representations about the
* suitability of this software for any purpose. It is provided "as is"
* without express or implied warranty.
*
* Copyright (c) 1990, 1991, 1993, 1994
* John Robert LoVerso. All rights reserved.
*
* Redistribution and use in source and binary forms are permitted
* provided that the above copyright notice and this paragraph are
* duplicated in all such forms and that any documentation,
* advertising materials, and other materials related to such
* distribution and use acknowledge that the software was developed
* by John Robert LoVerso.
*
* Copyright, 1990. The Regents of the University of California.
* This software was produced under a U.S. Government contract
* (W-7405-ENG-36) by Los Alamos National Laboratory, which is
* operated by the University of California for the U.S. Department
* of Energy. The U.S. Government is licensed to use, reproduce,
* and distribute this software. Permission is granted to the
* public to copy and use this software without charge, provided
* that this Notice and any statement of authorship are reproduced
* on all copies. Neither the Government nor the University makes
* any warranty, express or implied, or assumes any liability or
* responsibility for the use of this software.
* @(#)snmp.awk.x 1.1 (LANL) 1/15/90
*/
THIS SOFTWARE IS PROVIDED BY THE THE SANTA CRUZ OPERATION ("SCO") ``AS IS''
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL SCO BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- THE END -