IPwatchD an IP conflict detection tool for Linux

IPwatchD an IP conflict detection tool for Linux

Project name: IPwatchD – IP conflict detection tool
Author: Jaroslav Imrich
Project’s Home Page: IPwatchD



When using a GNU/Linux operating system, from time to time you may come across a situation where network connectivity was interrupted due to the IP conflict. An IP conflict event occurs when two or more hosts on the same network are configured with identical IP addresses. At the present, there appears to be no code in the Linux kernel to take care of this situation by means of appropriate Gratuitous ARP response . Very often a network administrator is left in the complete ignorance by the Linux kernel and needs to troubleshoot IP conflict the hard way. An IP Address Conflict GUI dialog triggered by IPwatchD Daemon Fortunately, there is a simple daemon called IPwatchD which main purpose is to catch and evaluate packets on the network and this way is able to prevent an IP conflict occurrence. This is done by help of libpcap library. IPwatchD daemon is written in C language and can run in passive or active modes. The difference between a passive and active mode is that in the passive mode IPwatchD only logs every IP conflict event by engaging syslog daemon, and in active mode IPwatchD takes one step further and responds to Gratuitous ARP request which is the main construction block when it comes to the IP conflict prevention. This article will explore this simple daemon in terms of installation, configuration and usage.


Before we can install IPwatchD under the GNU/Linux operating system it is recommended to confirm that all prerequisites needed by IPwatchD are installed on the system. Here is a list of packages you would need to install on Ubuntu 8.10.

 * build-essential - C compiler and other development tools
* libpcap-dev - Network packet capture library
* libnet1-dev - Network packet construction library
* libnotify-dev - sends desktop notifications to a notification daemon

On ubuntu or debian linux you can install those packages with a following linux command:

# apt-get install build-essential libpcap-dev libnet1-dev libnotify-dev 



Now, that we have installed all required prerequisites, it is time to compile and install IPwatchD daemon. There are two types of IPwatchD installations.

  • Desktop version with build-in GUI message notification
  • Server version which encompasses just the IPwatchd daemon without a GUI message notification

Difference between Desktop and Server version is that in Desktop version IPwatchD reacts to the IP conflict event by displaying a message on the GUI as well as to the relevant long files. In the contrary to the Desktop version, Server version only logs an IP conflict event to the relevant log files.

IPwatchD Desktop version

The installation routine of IPwatchD for both Desktop and Server versions is very similar. Download IPwatchD source code tarball and enter following linux commands:

$ bunzip2 ipwatchd-x.x.tar.bz2
$ tar xvjf ipwatchd-x.x.tar
$ cd ipwatchd-x.x/src
$ make

Once a binary is compiled, login as a superuser (root) and enter:

# make install 

IPwatchD Server version

To install a IPwatchD server version compile a IPwatchd source code by:

$ bunzip2 ipwatchd-x.x.tar.bz2
$ tar xvjf ipwatchd-x.x.tar
$ cd ipwatchd-x.x/src
$ make daemon

Once a binary is compiled, login a superuser (root) and enter:

# make install 

At this point all IPwatchD executable binaries are copied into the /usr/local/sbin. The configuration file can be found in /usr/local/etc directory.

NOTE: To uninstall IPwatchD, simply as a root user issue a command:

make unistall 


As it was already mentioned above, an IPwatchD daemon can work in two modes. To instruct this daemon to listen on the eth0 in active mode amend a configuration file /usr/local/etc/ipwatchd.conf with a following line:

eth0 active 

IpwatchD daemon is also able to work with virtual interfaces. So feel free to add line “eth0:1 passive” if you want IPwatchD listen on eth0:1 network interface in a passive mode.


Curent version of IPwatchD 1.1.1 does not start by it self. To start IPwatchD run a following linux command as a root user:

# /usr/local/sbin/ipwatchd -c /usr/local/etc/ipwatchd.conf 

Confirm that IPwatchD is running on your system by ps command:

ps aux | grep ipwatchd 

You should get an output similar to the one below:

root     10814  0.0  0.2   2032   572 ?        Ss   19:27   0:00 
/usr/local/sbin/ipwatchd -c /usr/local/etc/ipwatchd.conf
root 10818 0.0 0.3 3240 796 pts/1 R+ 19:27 0:00 grep ipwatchd

To logic here is as follows, modern operating systems are trying to avoid an IP conflict by sending a special type of ARP broadcast packets at the boot time or during a network interface reconfiguration. This type of special broadcast packet is called [http://wiki.wireshark.org/Gratuitous_ARP Gratuitous ARP]. The purpose of the Gratuitous ARP packet is to discover, if an IP address they are about to acquire is not already taken by yet another host.

IP conflict occurred message

An alternative to the GUI notification message is a syslog file. IPwatchD also logs all relevant IP conflict events into the syslog file. Here is a sample message generated by IPwatchD daemon:

an 11 20:50:47 linuxconfig-desktop IPwatchD[13215]: MAC address 8:0:27:b6:5a:6c causes 
IP conflict with address set on interface eth0 - active mode - reply sent
Jan 11 20:50:47 linuxconfig-desktop avahi-daemon[3965]: Withdrawing address
record for on eth0.

NOTE: To stop IPwatchD daemon you can use kill command. This way IPwatchD daemon receives SIGTERM signal which will gracefully stop this process, release a used memory and stop listening on a network interface. For the long run, to make it automatic, you can also create some simple daemon init.d script and link it from an appropriate runlevel directory on your system.


IPwatchD is certainly a handy tool which can sometimes save you a day. However, there are also some limitations. Current version of IPwatchD 1.1.1 is limited to only GNOME graphical user interface. Nevertheless, it is still possible to use a Server version and refer to the syslog file in case of some unexpected connectivity problems.