This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I think I’m being ARP spoofed or poisoned. How can I know for sure using Wireshark?

0

I believe my router is infected since I recently had malware on my PC. I have since reinstalled Windows 7. After getting rid of the malware/virus from my PC, my network is acting weird (certain pages loading slowly or not at all on all computers) and I notice that the gateway mac address I am connected to does not match the mac address on my router. It is off by one number. Is this normal?

Also, Xarp has warned me that ARP attacks have been detected, but I don't the next step from there. Can someone point me in the right direction. This is driving me crazy. Thanks.

asked 10 Apr '15, 15:38

billyunaire's gravatar image

billyunaire
1112
accept rate: 0%

edited 10 Apr '15, 15:39

1

You make some assumptions without much evidence. How are you determining the "gateway mac address"?

You state you have a "network of computers", how large is this, how are they connected to your internet router, and what type of internet connection do you have?

(11 Apr '15, 02:10) grahamb ♦

2 Answers:

1

and I notice that the gateway mac address I am connected to does not match the mac address on my router. It is off by one number. Is this normal?

I don't know if that's normal (could be a result of your router firmware). Anyway, you can figure out if there is ARP spoofing on the network, by doing this:

  • start Wirshark on your client
  • Clear the ARP cache on your client (arp -f ; might need admin privileges i.e. elevated DOS box)
  • ping the default gateway IP
  • stop Wireshark
  • Apply the following filter: arp
  • Check if there are two ARP replies for the same request.

If so, there is either something broken in your network (like one system having the same IP address as your default gateway) or there is really some ARP spoofing going on. In either case: switch off all your systems one by one and repeat the test until the duplicate ARP replies stop. Now you know which system caused them and you can further investigate what's wrong with that system.

Regards
Kurt

answered 11 Apr '15, 05:51

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

0

Is this a modem or wireless router? If it's a wireless router I think someone is logged onto your your wifi and is doing a man in the middle attack on your network. I would change your wifi password and make it stronger, WPA2 over 20 chars and turn off WPS, plus make sure the firmware is up to date.

answered 10 Apr '15, 15:53

zer0day's gravatar image

zer0day
217811
accept rate: 60%

edited 10 Apr '15, 16:03

It is a 2wire 3801HGV Router/Modem from ATT. I am currently using default settings for it. I will change the Password.

Would it help to clear devices connected to the router and enable mac filtering?

(10 Apr '15, 16:26) billyunaire

Would it help to clear devices connected to the router and enable mac filtering? No it wouldn't. (4) important things, all of them are important....All

  1. Change password, consists of 20 characters or more having lowercase, uppercase, numbers, and special characters.

  2. Encryption type is WPA2 w/ AES, not WPA or WEP

  3. Turn off Wifi Protected Setup or WPS, with this on someone can crack your wifi password in 10 hours or less regardless of the length and complexity. This time frame now can differ depending if the AP has rate-limiting on pin challenges.

  4. Make sure you have the latest firmware, having the latest most of the time improves security by adding additional layers of protection or patching holes in old ones.

(10 Apr '15, 19:57) zer0day