/networkservices_arp.htm" />

Please enable JavaScript to view this site.

The ARP daemon component listens to all network traffic on one or more interfaces and offers the following functionality:


Collects statistics about MAC addresses being used on the network

Issues alerts when new MAC addresses are found

Issues alerts when IP - MAC address mappings are changed


The ARP daemon goes through an initial learning period of 2 weeks after which it assumes to have a useful baseline of all network devices on the network and will alert on new MAC addresses found (if enabled).




The ARP Daemon requires a WinPcap compatible driver in order to capture network traffic. Npcap is currently the driver of choice since the original WinPcap driver is no longer under active development.


IMPORTANT: When installing, make sure that "Install Npcap in WinPcap API-compatible Mode" is checked.






Provides real-time information on MAC address usage and changes.


When was a MAC address first and last seen on the network?

With which IP address is a MAC address associated with?

With with hostname is a MAC address associated with?

With which vendor is a MAC address associated with?



In addition to providing statistical information about the network, the ARP daemon also issues alerts under the following circumstances:


A new MAC address was discovered outside the initial learning period

A MAC address is registering itself with an IP address that is already registered with a different MAC address (possible ARP spoof attempt)





In order for the ARP daemon component to run, either "Detect new MAC addresses" or "Detect spoof attempts" needs to be checked.



Configure on which interface(s) the ARP daemon should listen for network traffic by specifying on or more MAC addresses. While not absolutely necessary, best results are achieved if the interface(s) the ARP daemon is listening is connected to a switch port which receives all network traffic of the switch. A port on the switch which receives all network traffic (as opposed to the default, where it only receives traffic directed to the registered MAC addresses) is usually referred to as a monitor port.