Here’s a simple arpwatch-like script that (ab)uses firewall address list comments for MAC address storage. Schedule it in sync with ARP ttl and it will log/email you about every new device that appears in your network.
Pro tip: let it run at least once before you edit and uncomment the e-mail line, especially if you have a large busy network!
:local ipaddr;
:local macaddr;
:local iface;
:local macoui;
/ip arp
:foreach i in=[ /ip arp find ] do={
:set ipaddr [get $i address]
:set macaddr [get $i mac-address]
:set iface [get $i interface]
:if ([/ip firewall address-list find list="arpwatch" comment=$macaddr] = "") do {
/ip firewall address-list add list="arpwatch" address=$ipaddr comment=$macaddr disabled=yes
:log warning ("New MAC address: $macaddr ($ipaddr@$iface)")
:set macoui ([:tostr [:pick $macaddr 0]] . [:tostr [:pick $macaddr 1]] . [:tostr [:pick $macaddr 3]] . [:tostr [:pick $macaddr 4]] . [:tostr [:pick $macaddr 6]] . [:tostr [:pick $macaddr 7]])
# /tool e-mail send to="your@email" subject="ARPwatch" body="New MAC address: $macaddr ($ipaddr@$iface)\r\n\r\nManufacturer: http://standards.ieee.org/cgi-bin/ouisearch?$macoui"
}
}
Btw, if you want to monitor just one interface, simply change the following line like this:
:foreach i in=[ /ip arp find interface=<yourinterfacename>] do={