Arpwatch issues

  • I started looking into arpwatch after I got this error "Fatal error: Call to undefined function stop_service() in /usr/local/www/arpwatch_reports.php on line 37"
    which lead me to this post:
    and the solution was "Hard drive was damaged and replaced. After that, everything was working well. Most likely the problem was this."
    I think that is very odd, because I started to look where stop_service() is declared and found it in this file /etc/inc/
    which is not included in /usr/local/www/arpwatch_reports.php

    So I included and the problem was solved, is this a miss by the author or how come wasn't included?

    --- arpwatch_reports.php	2012-06-29 14:33:58.000000000 +0200
    +++ arpwatch_reports_include_fix.php	2012-06-29 14:09:10.000000000 +0200
    @@ -30,6 +30,7 @@
     $logfile = "/usr/local/arpwatch/arp.dat";

    Next issue:

    When I click on "Clear log" arp.dat is accessed but not cleared

    ls -l /usr/local/arpwatch/arp.dat

    -rw-r–r--  1 root  wheel  163 Jun 29 12:12 /usr/local/arpwatch/arp.dat

    clicks again, same result,
    third time it is cleared:

    ls -l /usr/local/arpwatch/arp.dat

    -rw-r–r--  1 root  wheel  0 Jun 29 12:17 /usr/local/arpwatch/arp.dat

    for some reason unlink does not work probably, but cant figure out why
    no errors shown in /var/log/lighttpd.error.log

    Last issue:

    This is what happens when I change interface in

    clog -f /var/log/arpwatch.log

    Jun 29 11:52:54 FW arpwatch: listening on em0  #arpwatch is started and WLAN (em0) is choosen here
    Jun 29 12:18:29 FW arpwatch: exiting                #choose LAN
    Jun 29 12:18:31 FW arpwatch: listening on em0  #still on WLAN (em0)
    Jun 29 12:20:13 FW arpwatch: exiting                #choose LAN again
    Jun 29 12:20:15 FW arpwatch: listening on bge1 #this time the interface is changed to LAN (bge1)

    as you can see, the first time I choose LAN the interface is not changed, second time it changes the interface.

    This is because
    1. old config-file is parsed
    2. arpwatch is restarted with settings from old config
    3. new config-file is written with the new values

    It is solved by changing /usr/local/pkg/arpwatch.xml to $int = $_POST['interface'] instead of $config

    --- arpwatch.xml	2012-06-29 14:13:59.000000000 +0200
    +++ arpwatch_POST_fix.xml	2012-06-29 14:07:07.000000000 +0200
    @@ -91,7 +91,7 @@
     		global $config;
    -		$int = $config['installedpackages']['arpwatch']['config'][0]['interface'];
    +		if($_POST['interface'] != "") { $int = $_POST['interface']; } else { $int = $config['installedpackages']['arpwatch']['config'][0]['interface']; }
     		$int = convert_friendly_interface_to_real_interface_name($int);
     		$start = "/usr/local/sbin/arpwatch -d -i {$int} > /var/log/arpwatch.reports 2>&1 &";
     		$stop = "/usr/bin/killall arpwatch";

    system: 2.0.1-RELEASE (i386) built on Mon Dec 12 18:24:17 EST 2011 FreeBSD 8.1-RELEASE-p6 (upgraded from 1.2.3-RELEASE )

  • Hi and thank you, you allowed me to solve the first problem (unable to clean the report).
    I don't have the other two problems, but I have another issue, like everyone who's using arpwatch on pfsense likely has.
    Which is, I need the pfsense box to email me when arpwatch does something.
    From the arpwatch logs, I can see that arpwatch is indeed trying to send me an email to notify me of changes to arp.dat, but cannot find /usr/bin/sendmail.
    I understand sendmail is not officially available in pfsense.
    Can you or anyone explain how (if at all possible) I can install and configure it, or else how can I get arpwatch to send me email?

  • Btw, once you test them, you can submit those bug-fixes to the pfsense public repository at GitHub (

    The steps to do this are:

    1. open an account at GitHub (if you don't have one already)
    2. fork pfsense-packages (or the other repositories as well)
    3. make changes
    4. open a pull request

  • I just submitted a pull request and Jimp has merged it. It fixes the "not saving the interface name the first time" problem and makes the install work on 2.1 with the pbi file - the default arp.dat file location had changed and the package code was not aware. Now arp.dat is in /var/log. That also makes it work on nanobsd, where /usr is RO.
    Reinstall and confirm it goes.

  • I have just reinstalled the package.
    The version number did not change (2.1.a15_6).
    Reinstalling reintroduced the bug with being unable to clean the report.
    I had to edit the php file as per this topic again.

  • Nice, thank you phil.davis for pushing it to github, I have a github acc but didnt know about that repository.

    now its just a few more bugs left  ::)
    the mail part is very important, I had this package running on a lan-party last week and forgot about it.
    when I checked the report I saw my server's mac-address on 3 ip-adresses, it was because i used linux-vserver but if it had been an arp poisoning I would not have notices untill I got ssl-warnings and slow network :P

Log in to reply