How to install Arpwatch on AlmaLinux or Rocky Linux 8/9

Are you looking to add additional security to your AlmaLinux or Rocky Linux 8/9 system? Arpwatch is a useful tool for logging and reporting changes in the Address Resolution Protocol (ARP) traffic on a network segment. This article will provide a step-by-step guide on how to install and configure Arpwatch on AlmaLinux or Rocky.

Both Rocky and Linux Alma are open-source distros based on Red Hat Enterprise Linux (RHEL). It’s designed to run enterprise workloads with reliability and stability. Server Admins usually prefer to run RHEL-based Linux because of added security measures when it comes to preventing malicious activities on their systems. Among various security tools, Arpwatch is particularly useful for monitoring incoming IP addresses and MAC addresses.

This article will help you understand how to install Arpwatch on AlmaLinux in order to detect anomalies that may point toward malicious activities. We’ll also provide tips to optimize its performance as well as troubleshoot problems related to its usage. Once installed and configured correctly, Arpwatch delivers great monitoring benefits for all users of AlmaLinux systems across the board.

Installing Arpwatch on AlmaLinux or Rocky Linux 8/9

Step 1: Requirements

There are no special requirements to install AprtWatch on Linux, however, to perform the steps given in this tutorial user must make sure to have:

  • Linux Alma or Rocky installed server or VM
  • Internet connection
  • Sudo or root Admin user access

Step 2: Update using DNF or YUM

It is important to run the system update before running the installation command for some software. Because sometimes, due to the old package manager index cache, it refuses to install the latest available version of the software via the system repository. Hence, run:

sudo dnf update

Step 3: Enable the EPEL repository

Epel is the popular repository for RHEL and its based Linux systems to get the packages that are not available through the default system’s AppSream and BaseOS Repos. Hence, to enable it, use:

sudo dnf install epel-release

Run the update command once again:

sudo dnf update

Step 3: Install Arpwatch in Linux – Alma or Rocky

After adding EPEL on the server we can either use the DNF or Yum to install Aprwatch on Almalinux or Rocky without adding any other third-party repository.

sudo dnf install arpwatch


Rocky Linux 9 - BaseOS                                                                  2.4 kB/s | 4.1 kB     00:01
Rocky Linux 9 - AppStream                                                               2.9 kB/s | 4.5 kB     00:01
Rocky Linux 9 - Extras                                                                  1.9 kB/s | 2.9 kB     00:01
Dependencies resolved.
 Package                       Architecture             Version                          Repository                Size
 arpwatch                      x86_64                   14:3.3-6.el9                     epel                     334 k
Installing dependencies:
 esmtp                         x86_64                   1.2-19.el9                       epel                      52 k
 libesmtp                      x86_64                   1.0.6-24.el9                     epel                      66 k
 liblockfile                   x86_64                   1.14-10.el9                      baseos                    27 k

Transaction Summary
Install  4 Packages

Total download size: 479 k
Installed size: 1.4 M
Is this ok [y/N]:

Step 4: Check ArpWatch Version

To confirm the tool is on our Linux system, we can use the command to check the ArpWatch version, here it is:

arpwatch -V

Step 5: How to use Arpwatch to start monitoring ethernet

To start monitoring any particular ethernet network interface using Arptwatch on Almalinux or Rocky, use the syntax-

arpwatch -i <interface-name>

For example, if our ethernet interface is ens33 then the command will be:

sudo arpwatch -i ens33

The above command will not show any output instead it sits in the background silently to monitor some changes happening on the network interface. It will save the information as logs at /var/log/messages

You can access it using:

sudo tail -f /var/log/messages

For more commands, users can see the ArpWatch Man page.

Step 6: Basic Arpwatch configuration (optional)

Want to Configure mail so that you get a notification if there are any changes to the network interface?

For it, edit the file /etc/sysconfig/arpwatch and add the following line. Don’t forget to change admin@example with your email address.

OPTIONS="-u arpwatch -e [email protected] -s 'root (Arpwatch)'"

For monitoring multiple Ethernet addresses, use the following lines. Replace eth1, eth2 ,eth3…. with the interface you want to observe.

OPTIONS="-u arpwatch -e - -s 'root (Arpwatch)'"
INTERFACES="eth0 eth1 eth3"

Step 7: Important files location

At the end of this tutorial let’s get familiar with some important Arpwatch files and their locations.

/etc/sysconfig/arpwatch : Key system configuration file for this tool.
/usr/sbin/arpwatch: The main folder of ArptWatch where its binary is located.
/var/lib/arpwatch/arp.dat : ARP Dat is a file to store the database of Ethernet MAC addresses seen on the network.
/var/log/messages : File that logs the details of changes that happen over Ip or mac-address

Step 7: Uninstall AprtWatch from Linux

For those who didn’t like this network monitoring tool and want to completely remove the Arpwatch from AlmaLinux or Rocky, here is the command to follow:

sudo dnf remove arpwatch

Other Articles:

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.