ArpWatch Support

I would like to see support for ARP change detection. For instance, say 00:DE:AD:BE:EF:00 was assigned to 192.168.0.2 on ether8. Then half a second later it mysteriously appeared on ether2. Then back to ether8.

Basically, people are stealing internet service from me by cloning MAC and IP addresses on wired networks. I have managed switches now, but I have no way of knowing if this is happening short of manual inspection. It would be great (assuming I deployed Mikrotik as my managed switch solution) to get a log error if an ARP entry didn’t change, yet kept bouncing back and forth between different ports. Better yet, an SNMP trap.

arpwatch logs IP-MAC pairs changes, and don’t care of port changes.

The Port/Mac address pairing is bridge related. I bet you don’t want to be notified about every new MAC’s in the bridge tables. Also keep in mind, ARP cache is 5min (by default), that means, if the device is not active, it will disappear, and if active, it will be visible again.

If you have managed switches either use VLANs or port isolation if they support it. That way no clients can scan the network to see what MAC addresses are out there to change it to something else.