ArpWatch

---

Install: sudo pacman -S arpwatch

Create the dump file: touch /tmp/arp.dat

Execute: sudo arpwatch -i enp3s0 -n 10.0.5.0/24 -f /tmp/arp.dat

Check the output: journalctl -f | grep arpwatch

Dec 29 12:31:33 localhost arpwatch[19379]: listening on enp3s0
Dec 29 12:31:36 localhost arpwatch[19379]: xx:xx:xx:xx:xx:xx sent bad hardware format 0x14
Dec 29 12:31:50 localhost arpwatch[19379]: yy:yy:yy:yy:yy:yy sent bad hardware format 0x14
Dec 29 12:31:50 localhost arpwatch[19379]: zz:zz:zz:zz:zz:zz sent bad hardware format 0x14
Dec 29 12:32:30 localhost arpwatch[19379]: new station 10.0.5.10 aa:aa:aa:aa:aa:aa
Dec 29 12:32:30 localhost arpwatch[19379]: yy:yy:yy:yy:yy:yy sent bad hardware format 0x14
Dec 29 12:32:30 localhost arpwatch[19379]: yy:yy:yy:yy:yy:yy sent bad hardware format 0x14
Dec 29 12:32:30 localhost arpwatch[19379]: aa:aa:aa:aa:aa:aa sent bad hardware format 0x14
Dec 29 12:32:30 localhost arpwatch[19379]: reaper: pid 19479, exit status 78
Dec 29 12:32:36 localhost arpwatch[19379]: xx:xx:xx:xx:xx:xx sent bad hardware format 0x14
Dec 29 12:32:41 localhost arpwatch[19379]: new station 10.0.5.12 bb:bb:bb:bb:bb:bb
Dec 29 12:32:41 localhost arpwatch[19379]: new station 10.0.5.2 cc:cc:cc:cc:cc:cc
Dec 29 12:32:41 localhost arpwatch[19379]: reaper: pid 19481, exit status 78
Dec 29 12:32:41 localhost arpwatch[19379]: reaper: pid 19482, exit status 78
Dec 29 12:32:54 localhost arpwatch[19379]: yy:yy:yy:yy:yy:yy sent bad hardware format 0x14
Dec 29 12:32:54 localhost arpwatch[19379]: zz:zz:zz:zz:zz:zz sent bad hardware format 0x14
Dec 29 12:33:15 localhost arpwatch[19379]: yy:yy:yy:yy:yy:yy sent bad hardware format 0x14
Dec 29 12:33:37 localhost arpwatch[19379]: bogon 10.0.12.227 xx:xx:xx:xx:xx:xx
Dec 29 12:34:36 localhost arpwatch[19379]: bogon 10.0.12.227 xx:xx:xx:xx:xx:xx
Dec 29 12:35:16 localhost arpwatch[19379]: new station 10.0.5.1 dd:dd:dd:dd:dd:dd
Dec 29 12:35:16 localhost arpwatch[19379]: reaper: pid 19836, exit status 78
Dec 29 12:35:36 localhost arpwatch[19379]: bogon 10.0.12.227 xx:xx:xx:xx:xx:xx
Dec 29 12:36:36 localhost arpwatch[19379]: bogon 10.0.12.227 xx:xx:xx:xx:xx:xx
Dec 29 12:35:16 localhost arpwatch[19379]: new station 10.0.5.1 dd:dd:dd:dd:dd:dd
Dec 29 12:35:16 localhost arpwatch[19379]: reaper: pid 19836, exit status 78
Dec 29 12:35:36 localhost arpwatch[19379]: bogon 10.0.12.227 xx:xx:xx:xx:xx:xx
Dec 29 12:36:36 localhost arpwatch[19379]: bogon 10.0.12.227 xx:xx:xx:xx:xx:xx

Sooooo, not useful at all (it will not stop attacks), just informative (which may be good enough).

The sent bad hardware format 0x14 is that vlan tags are not supported.

What about arpon?