Are you looking to add additional security to your AlmaLinux or Rocky Linux 8/9 system? Arpwatch is a useful tool for logging and reporting changes in the Address Resolution Protocol (ARP) traffic on a network segment. This article will provide a step-by-step guide on how to install and configure Arpwatch on AlmaLinux or Rocky.
Both Rocky and Linux Alma are open-source distros based on Red Hat Enterprise Linux (RHEL). It’s designed to run enterprise workloads with reliability and stability. Server Admins usually prefer to run RHEL-based Linux because of added security measures when it comes to preventing malicious activities on their systems. Among various security tools, Arpwatch is particularly useful for monitoring incoming IP addresses and MAC addresses.
This article will help you understand how to install Arpwatch on AlmaLinux in order to detect anomalies that may point toward malicious activities. We’ll also provide tips to optimize its performance as well as troubleshoot problems related to its usage. Once installed and configured correctly, Arpwatch delivers great monitoring benefits for all users of AlmaLinux systems across the board.
Installing Arpwatch on AlmaLinux or Rocky Linux 8/9
Step 1: Requirements
There are no special requirements to install AprtWatch on Linux, however, to perform the steps given in this tutorial user must make sure to have:
- Linux Alma or Rocky installed server or VM
- Internet connection
- Sudo or root Admin user access
Step 2: Update using DNF or YUM
It is important to run the system update before running the installation command for some software. Because sometimes, due to the old package manager index cache, it refuses to install the latest available version of the software via the system repository. Hence, run:
sudo dnf update
Step 3: Enable the EPEL repository
Epel is the popular repository for RHEL and its based Linux systems to get the packages that are not available through the default system’s AppSream and BaseOS Repos. Hence, to enable it, use:
sudo dnf install epel-release
Run the update command once again:
sudo dnf update
Step 3: Install Arpwatch in Linux – Alma or Rocky
After adding EPEL on the server we can either use the DNF or Yum to install Aprwatch on Almalinux or Rocky without adding any other third-party repository.
sudo dnf install arpwatch
Rocky Linux 9 - BaseOS 2.4 kB/s | 4.1 kB 00:01 Rocky Linux 9 - AppStream 2.9 kB/s | 4.5 kB 00:01 Rocky Linux 9 - Extras 1.9 kB/s | 2.9 kB 00:01 Dependencies resolved. ======================================================================================================================== Package Architecture Version Repository Size ======================================================================================================================== Installing: arpwatch x86_64 14:3.3-6.el9 epel 334 k Installing dependencies: esmtp x86_64 1.2-19.el9 epel 52 k libesmtp x86_64 1.0.6-24.el9 epel 66 k liblockfile x86_64 1.14-10.el9 baseos 27 k Transaction Summary ======================================================================================================================== Install 4 Packages Total download size: 479 k Installed size: 1.4 M Is this ok [y/N]:
Step 4: Check ArpWatch Version
To confirm the tool is on our Linux system, we can use the command to check the ArpWatch version, here it is:
Step 5: How to use Arpwatch to start monitoring ethernet
To start monitoring any particular ethernet network interface using Arptwatch on Almalinux or Rocky, use the syntax-
arpwatch -i <interface-name>
For example, if our ethernet interface is ens33 then the command will be:
sudo arpwatch -i ens33
The above command will not show any output instead it sits in the background silently to monitor some changes happening on the network interface. It will save the information as logs at
You can access it using:
sudo tail -f /var/log/messages
For more commands, users can see the ArpWatch Man page.
Step 6: Basic Arpwatch configuration (optional)
Want to Configure mail so that you get a notification if there are any changes to the network interface?
For it, edit the file
/etc/sysconfig/arpwatch and add the following line. Don’t forget to change admin@example with your email address.
OPTIONS="-u arpwatch -e [email protected] -s 'root (Arpwatch)'"
For monitoring multiple Ethernet addresses, use the following lines. Replace eth1, eth2 ,eth3…. with the interface you want to observe.
OPTIONS="-u arpwatch -e - -s 'root (Arpwatch)'" INTERFACES="eth0 eth1 eth3"
Step 7: Important files location
At the end of this tutorial let’s get familiar with some important Arpwatch files and their locations.
/etc/sysconfig/arpwatch : Key system configuration file for this tool.
/usr/sbin/arpwatch: The main folder of ArptWatch where its binary is located.
/var/lib/arpwatch/arp.dat : ARP Dat is a file to store the database of Ethernet MAC addresses seen on the network.
/var/log/messages : File that logs the details of changes that happen over Ip or mac-address
Step 7: Uninstall AprtWatch from Linux
For those who didn’t like this network monitoring tool and want to completely remove the Arpwatch from AlmaLinux or Rocky, here is the command to follow:
sudo dnf remove arpwatch