🔒 Detecting and Preventing ARP Attacks

A Comprehensive Guide to Network Security with Wireshark

📘 About This Guide: This documentation provides a detailed walkthrough of detecting and preventing ARP (Address Resolution Protocol) poisoning attacks using Wireshark. You'll learn how to identify malicious network activities and implement protection strategies.

🎯 Understanding ARP Protocol

The Address Resolution Protocol (ARP) is a fundamental network protocol that maps IP addresses to MAC (Media Access Control) addresses on local networks. When a device wants to communicate with another device on the same network, it uses ARP to discover the physical MAC address associated with a specific IP address.

Normal ARP Communication Flow

Computer A
10.20.40.100

➡️

Router
10.20.40.1

➡️

Computer B
10.20.40.200

Devices communicate directly using correct MAC addresses

⚠️ What is ARP Poisoning?

ARP poisoning (also known as ARP spoofing) is a type of cyber attack where an attacker sends falsified ARP messages over a local network. This results in the linking of the attacker's MAC address with the IP address of a legitimate device (often the default gateway). The attacker can then intercept, modify, or block data intended for that IP address.

ARP Poisoning Attack Scenario

Victim
10.20.40.100

⚡

Attacker
10.20.40.67
(Man-in-the-Middle)

⚡

Router
10.20.40.1

The attacker intercepts all traffic between victim and router

🔍 Part 1: Configuring Wireshark for Detection

Initial Setup Steps

Open Wireshark Preferences
Navigate to Edit → Preferences (or Wireshark → Preferences on macOS)
Configure ARP Protocol Settings
Go to Protocols → ARP in the preferences menu
Enable Storm Detection
Check the option "Detect ARP request storms"

💡 What is an ARP Storm? An ARP request storm occurs when a device sends an unusually high number of ARP requests in a short period, typically indicating network scanning or reconnaissance activities.
Save and Start Capture
Click OK to save settings and begin packet capture on your network interface

🕵️ Part 2: Detecting Network Discovery Attempts

Using Netdiscover for Testing

In this example, we'll use the netdiscover tool from Kali Linux to simulate a network scanning attempt. This tool sends ARP requests to discover all devices connected to the network.

            # Command syntax for netdiscover
            netdiscover -i [interface] -r [IP range]

            # Example:
            netdiscover -i eth0 -r 10.20.40.0/24
        

Analyzing Wireshark Capture

Once the network scan is executed, Wireshark will capture numerous ARP packets. Here's what to look for:

Packet Field	Suspicious Value	Indication
Source MAC	Same MAC for multiple requests	Single device scanning
Destination	Broadcast (FF:FF:FF:FF:FF:FF)	Network-wide inquiry
ARP Query	"Who has X.X.X.X? Tell Y.Y.Y.Y"	IP discovery attempt
Frequency	Hundreds of requests per second	Automated scanning tool

Example ARP Packets During Network Scan

            Who has 10.20.40.1? Tell 10.20.40.67
            Who has 10.20.40.2? Tell 10.20.40.67
            Who has 10.20.40.3? Tell 10.20.40.67
            ...
            Who has 10.20.40.241? Tell 10.20.40.67
            Who has 10.20.40.251? Tell 10.20.40.67
        

🚨 Red Flag: When you see a single IP address (like 10.20.40.67) requesting information about every possible IP in the range sequentially, this indicates a network reconnaissance attempt.

Using Expert Information

Wireshark's Expert Information feature provides automated analysis of captured packets:

Access Expert Information
Navigate to Analyze → Expert Information
Check for Warnings
Look for entries labeled "ARP packet storm detected"
Identify the Source
The warning will indicate which device is generating excessive ARP traffic

🎭 Part 3: Detecting ARP Poisoning Attacks

Signs of Active ARP Poisoning

When an attacker performs ARP poisoning, they manipulate the ARP cache of victim devices. Wireshark can detect this through several indicators:

⚠️ Critical Warning: Duplicate IP Address Configured

This warning appears when the same IP address is associated with different MAC addresses within a short time period. This is the primary indicator of ARP poisoning.

How ARP Poisoning Works

Step-by-Step Attack Process

Step	Action	Result
1	Attacker sends fake ARP reply to victim	Victim's ARP cache updated with attacker's MAC for router IP
2	Attacker sends fake ARP reply to router	Router's ARP cache updated with attacker's MAC for victim IP
3	Traffic flows through attacker	Attacker intercepts all communication
4	Attacker forwards packets	Victims remain unaware of interception

Analyzing ARP Poisoning in Wireshark

When examining captured packets during an ARP poisoning attack, you'll notice:

Multiple ARP replies for the same IP address with different MAC addresses
Unsolicited ARP replies (gratuitous ARP) that weren't requested
Duplicate IP warnings in the Expert Information panel
MAC address changes for critical devices like the default gateway

            # Example of ARP cache manipulation
            # Before attack:
            10.20.40.1 00:11:22:33:44:55 (Router's real MAC)

            # During attack:
            10.20.40.1 AA:BB:CC:DD:EE:FF (Attacker's MAC - SUSPICIOUS!)
        

🛡️ Part 4: Prevention Strategies

Method 1: Static ARP Tables

The most effective but labor-intensive method is configuring static ARP entries. This prevents the system from accepting dynamic ARP updates.

Understanding ARP Table Types

Type	Description	Vulnerability
Dynamic	Automatically updated by ARP responses	Can be poisoned by fake ARP replies
Static	Manually configured, permanent entries	Immune to ARP poisoning attacks

Viewing Current ARP Table

            # Windows
            arp -a

            # Linux/macOS
            arp -n

            # Sample output:
            Interface: 10.20.40.100
            Internet Address Physical Address Type
            10.20.40.1 00-11-22-33-44-55 dynamic
            10.20.40.67 AA-BB-CC-DD-EE-FF dynamic
        

Creating Static ARP Entries

            # Windows
            arp -s [IP address] [MAC address]
            arp -s 10.20.40.1 00-11-22-33-44-55

            # Linux
            arp -s [IP address] [MAC address]
            arp -s 10.20.40.1 00:11:22:33:44:55

            # Make permanent on Linux (add to /etc/network/interfaces)
            post-up arp -s 10.20.40.1 00:11:22:33:44:55
        

✅ Advantages of Static ARP

Complete immunity to ARP poisoning attacks
System refuses all dynamic ARP updates
No additional software or hardware required
Perfect for small, stable networks

❌ Disadvantages of Static ARP

Requires manual configuration for each device
Difficult to maintain in large networks
New devices cannot join automatically
MAC address changes require manual updates

Method 2: Network Switch Protection

Modern managed switches offer built-in protection against ARP poisoning through features like Dynamic ARP Inspection (DAI) and port security.

Switch-Based Protection Features

Feature	Function	Effectiveness
Dynamic ARP Inspection	Validates ARP packets against DHCP bindings	High - blocks invalid ARP replies
Port Security	Limits MAC addresses per port	Medium - prevents MAC flooding
DHCP Snooping	Creates binding table of IP-MAC pairs	High - foundation for DAI
ARP Rate Limiting	Restricts ARP packets per second	Medium - prevents storms

Method 3: Specialized Security Software

Several tools can provide active monitoring and protection against ARP attacks:

ArpON (ARP handler inspection): Portable ARP handler for Linux
XArp: Advanced ARP spoofing detection for Windows
Arpwatch: Monitors Ethernet/IP address pairings
Antidote: Real-time ARP spoofing prevention

📊 Comparison of Prevention Methods

Method	Security Level	Ease of Implementation	Best For	Cost
Static ARP Tables	⭐⭐⭐⭐⭐	⭐⭐	Small networks, home offices	Free
Managed Switches (DAI)	⭐⭐⭐⭐⭐	⭐⭐⭐⭐	Enterprise networks	$$$$
Security Software	⭐⭐⭐⭐	⭐⭐⭐⭐⭐	All network sizes	$ - $$
Network Monitoring	⭐⭐⭐	⭐⭐⭐	Detection only	Free - $$

🎓 Best Practices and Recommendations

Recommended Security Approach (Defense in Depth)

Use static ARP for critical infrastructure (servers, routers, critical workstations)
Implement switch-level security if using managed switches
Deploy monitoring tools like Wireshark or specialized ARP protection software
Educate network users about security awareness
Regular security audits to detect anomalies
Segment your network to limit attack surface
Keep systems updated with latest security patches

Quick Reference Checklist

Action	Frequency	Priority
Monitor ARP table for changes	Daily	High
Review Wireshark logs for anomalies	Weekly	Medium
Update static ARP entries	As needed	High
Audit switch security settings	Monthly	Medium
Test ARP protection mechanisms	Quarterly	High

🔬 Practical Example: Complete Detection Workflow

            # Step 1: Check current ARP table
            arp -a

            # Step 2: Start Wireshark capture with ARP filter
            # Filter: arp

            # Step 3: Monitor for suspicious patterns:
            # - High frequency ARP requests from single source
            # - Duplicate IP warnings
            # - Unsolicited ARP replies

            # Step 4: If attack detected, identify attacker MAC
            # Look for MAC address sending fake ARP replies

            # Step 5: Block attacker (switch port shutdown or firewall rule)

            # Step 6: Clear ARP cache on affected devices
            # Windows:
            arp -d

            # Linux:
            ip -s -s neigh flush all

            # Step 7: Implement static ARP for critical devices
            arp -s [gateway IP] [gateway MAC]
        

⚡ Emergency Response: If you detect an active ARP poisoning attack:

Disconnect affected devices from the network immediately
Clear ARP caches on all devices
Identify and isolate the attacking device
Implement static ARP entries for critical infrastructure
Investigate the source and intent of the attack
Update security policies and monitoring

📚 Additional Resources

Wireshark Documentation: Official guide for packet analysis
RFC 826: Original ARP protocol specification
NIST Cybersecurity Framework: Guidelines for network security
OWASP: Web application security best practices