Arpwatch email notifications not including hostname or vendor

  • Running pfSense 2.4.4 p3, when a new device joins the network I receive the following email:

    Subject line:
    <hostname>.<domain> - Arpwatch Notification : new station

    Email body:
    hostname: <unknown>
    ip address: 172.16.x.x
    ethernet address: ac:7b:a1:xx:xx:xx
    ethernet vendor: <unknown>
    timestamp: Tuesday, October 1, 2019 10:58:37 -0500

    When I go to Diagnostics -> Arp Table, next to the MAC address it shows (Intel Corporate) and displays the correct device hostname.

    How do I get the Arpwatch notifications to include this information from the ARP table?

    Receiving an email when a device joins the network has limited usefulness without stating the hostname or vendor... have to go to the DHCP or ARP tables to find out what the device is.

  • After reviewing the following file, /usr/local/pkg/

    define('ARPWATCH_LOCAL_DIR', '/usr/local/arpwatch');
    define('ARPWATCH_ETHERCODES_URL', '');


    function arpwatch_get_arp_file($ifname) {
    	return ARPWATCH_LOCAL_DIR."/arp_$ifname.dat";
    function arpwatch_update_vendors() {
    	download_file(ARPWATCH_ETHERCODES_URL, ARPWATCH_LOCAL_DIR."/ethercodes.dat");

    In /usr/local/arpwatch I see .dat files for each interface, but not ethercodes.dat (screenshot below).


    I downloaded ethercodes.dat from the URL and uploaded to the Arpwatch directory, will see if vendor names start resolving in the email notifications.

Log in to reply