arpwatch for Debian ------------------- The Debian version of arpwatch does not ship with its own version of ethercodes. Instead, the data from the ieee-data package is used. If you want to keep your database up-to-date, use update-ieee-data(8). Arpwatch will always keep its database in sync with what is provided by ieee-data, but the changed database will only be used after a restart. If you want to maintain the ethercodes.db file (located in /var/lib/arpwatch) yourself, you can disable the update from ieee-data using dpkg-divert: dpkg-divert --rename \ --divert /var/lib/ieee-data/update.d/arpwatch.disabled \ --add /var/lib/ieee-data/update.d/arpwatch arpwatch cannot process 802.1q (VLAN) tagged packets, so Debian's version of arpwatch ignores them. If you need to monitor these packets, create an interface in the respective VLAN and run an instance of arpwatch on that interface as well. The last release to arpwatch has been in 2006. As a result, quite a lot of features have been integrated into arpwatch for Debian. Details about which options have been added can be found in the man page of arpwatch(8). -- Lukas Schwaighofer Fri, 12 May 2017 19:26:10 +0200