Bug#221616: arpwatch behaviour inlogical wrt to flipflop/new station

[Lukas Schwaighofer]

Hello Alexander,

thank you for your report.  Unfortunately I'll have to disappoint:
I've no plans on extending arpwatch to be able to "follow" ethernet
addresses.  I also don't want to merge #527251, as it adds quite a bit
of code that we would need to support.  Substantial changes like that
are typically done in the upstream project before they can make their
way into Debian.  However, in the arpwatch case, upstream has been
inactive for a long time so I consider it very unlikely this will
happen…

Arpwatch has always only "followed" IPv4 addresses (and never ethernet
addresses), meaning if it sees an ARP message containing an
IPv4/ethernet "binding" it will lookup previous ethernet address(es)
using that IPv4 address.  As you can probably imagine, changing the code
to "follow" ethernet addresses too would be a substantial change.

I wasn't aware the documentation is wrong in that regard.  Thanks for
pointing that out.  I will probably change the wording to something
similar to:

  new station: "There are no previous known ethernet addresses for this
                IPv4 address"


So much for the bad news, I also have something that might help you:
Since Debian version 2.1a15-4 (unfortunately not in stretch) arpwatch
supports filters to ignore certain packets.  So if you are happy with
completely ignoring your Laptop's ethernet address in arpwatch (and
after upgrading to that version), you could add add a filter to do that.

Sorry I'm not able to offer more help.

Have a nice weekend
Lukas