Someone mentioned arpwatch. Sounded cool. So I got the .gz, did configuire, make, and make install on my ossec machine, and started it up from a terminal window. I see nothing. So I arpwatch -?, and it shows me a few flags, none of which is the -m or -e I saw in some online docs to give it an email address to alert to.
So I'm reading around, and while I'm reading, in comes an email from my ossec server telling me that arpwatch has found two new IP addresses, and here are their MAC addresses too. Very cool. But how did it know? Sent from my Verizon Wireless BlackBerry
