This is what one of the emails from arpwatch looks like. In this example the device plugged in was an HP thin client. Those do broadcast a NetBIOS name, but do not register in DNS:
Code:
hostname: <unknown>
ip address: 192.168.3.8
ethernet address: 0:f:20:d9:5b:23
ethernet vendor: Hewlett Packard
timestamp: Monday, March 2, 2009 15:42:03 -0500
If a name exists in DNS, arpwatch will include it in that email. Not if it's just a NetBIOS name, though. If I could cram that nmblookup into what arpwatch does somehow it would probably do the trick!
(And yes, you are probably noticing that weird MAC address - I think arpwatch has problems with 0 as the first character in each set. Not a big deal.)
phoenix - Yeah, you are right. And I could do MAC filtering on my Cisco switches too. But I don't think they want me to be that exclusive... yet. So for the time being I can content myself with knowing whenever a new device plugs into the network!