Detect ARP spoofing quickly & increase network security

Brzozova
4 min readOct 13, 2023

--

To gain insights into the underlying protocols and strengthen defenses against attacks like ARP spoofing, several tools are available that can help us in network monitoring, analysis, and security.

Check my list of the best tools to hack or detect ARP attacks, but also other network-based attacks. However, first short explanation of what is ARP and how it works.

What is ARP?

ARP is one of many networking protocols, but this one is responsible for mapping IP addresses to physical MAC addresses on a local network. It operates at the 2nd layer which is the Data Link in the OSI model.

Let’s say that one device needs to communicate with another device on the same network and doesn’t know its MAC address. In order to connect it sends an ARP request. Here is a process:

  1. The device is sending ARP request to another device.
  2. The request is broadcast to all devices on the network.
  3. The device with the corresponding IP address responds with MAC address.
  4. Data is to be sent to the correct MAC address on the network.

What are the ARP attack's consequences?

ARP attacks can have serious consequences on a network’s security.

Here are some of the most common results:

  • Identity thieves — attackers impersonate legitimate devices on the network, which may lead to identity theft, unauthorized access to network resources.
  • Man-in-the-middle attacks — gaining unauthorized access to the network.
  • Denial of Service (DoS) attacks — ARP flooding can disrupt network operations by overwhelming ARP caches.
  • Data interception — attackers can capture sensitive information in transit.

Wireshark

The most obvious tools for network traffic scanning is Wireshark. It’s a widely used network protocol analyzer that captures and examines network traffic in real time.

It allows you to inspect packets at various layers of the network stack, including Ethernet, ARP, IP, and more. Wireshark helps identify abnormal ARP activity, allowing you to detect potential ARP spoofing attacks.

List of useful commands:

  • Launch Wireshark: wireshark
  • Capture packets on a specific network interface: wireshark -i <interface>
  • Filter captured traffic for ARP packets searching arp
  • Show only ARP packets from a specific IP address: arp.src.proto_ipv4 == <IP>
  • Show only ARP packets with a specific MAC address: arp.src.hw_mac == <MAC>

ARPwatch

ARPwatch is a tool specifically designed to monitor ARP activity and detect ARP-based attacks. It continuously monitors the local network and maintains a database of IP-to-MAC address mappings.

ARPwatch alerts us when it detects any changes or inconsistencies in the ARP tables, such as multiple MAC addresses associated with a single IP address or IP address changes for a known MAC address.

List of useful commands:

  • Start ARPwatch to monitor network activity: arpwatch -i <interface>
  • Specify the log file location: arpwatch -f <log_file>
  • Monitor multiple network interfaces: arpwatch -i <interface1> -i <interface2>
  • Run ARPwatch in the background: arpwatch -d

Ettercap

Ettercap is the next tool for network monitoring and attack analysis. It supports ARP poisoning attacks, sniffing, protocol analysis, and network discovery.

Ettercap allows us to analyze captured packets, detect ARP spoofing attempts, and perform ARP spoofing as a controlled experiment for testing network security.

List of useful commands:

  • Launch Ettercap: ettercap -G
  • Scan the network to discover hosts: ettercap -T -i <interface> -L
  • Perform ARP poisoning on a target: ettercap -T -i <interface> -M arp:remote /<target_IP>/ /<victim_IP>/
  • Enable IP forwarding for ARP poisoning: echo 1 > /proc/sys/net/ipv4/ip_forward

Cain and Abel

Cain and Abel is a network security tool that offers a range of capabilities, including ARP spoofing detection.

It allows us to perform ARP cache poisoning attacks to test the security but also provides mechanisms to detect and counter such attacks. Cain and Abel can monitor ARP tables, detect unauthorized changes, and send alerts.

How to search ARP:

  • Launch Cain and Abel: Run the application and choose the features from the menu.
  • ARP poisoning: Go to the „ARP” tab, select the appropriate network interface, and click on the „Start/Stop ARP” button.
  • ARP table monitoring: Go to the „ARP” tab and click on the „ARP Watch” button.

Snort, Suricata

NIDS (Network Intrusion Detection System) tools, such as Snort or Suricata, monitor network traffic for malicious activities, including ARP spoofing.

These systems are a combination of signature-based detection and behavior analysis to identify potential attacks. By configuring NIDS with appropriate rules, you can enhance your network’s defenses against ARP spoofing and other security threats.

List of useful commands for Snort:

  • Start Snort in packet sniffing mode: snort -i <interface>
  • Load Snort rules from a specific configuration file: snort -c <config_file>
  • Display alerts for ARP spoofing attempts: snort -A console -c <config_file> -e

List of useful commands for Suricata:

  • Start Suricata in packet capture mode: suricata -c <config_file> -i <interface>
  • Monitor network traffic and display alerts: suricata -c <config_file> -i <interface> –alert-console

Splunk

Security Information and Event Management (SIEM) systems, like Splunk or ELK Stack, aggregate logs and events from various sources across the network.

By analyzing the collected data, SIEM tools can help identify patterns and anomalies, including ARP spoofing attempts. SIEM systems provide a centralized platform for monitoring network activity, generating alerts, and facilitating incident response.

Useful Splunk search queries:

  • Search for ARP spoofing-related events: index=<your_index> sourcetype=<your_sourcetype> „ARP spoofing”
  • Filter events based on specific IP addresses: index=<your_index> sourcetype=<your_sourcetype> src_ip=<IP>
  • Search for events related to ARP table changes: index=<your_index> sourcetype=<your_sourcetype> „ARP table changed”
  • Filter events within a specific time range: index=<your_index> sourcetype=<your_sourcetype> earliest=-24h latest=now

Summary

These tools can be implemented as part of a comprehensive network security strategy. It will enhance defenses against ARP spoofing and similar attacks. Choose the best tools that suit your case and make your network a more secure place.

--

--