This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Best criteria to zero in on packets related to arp poisoning.

0

Asked a question earlier about arp poisoning. This question is slightly different.

Given a pcap with arp poisoning, pcap, wonder if the criteria to catch arp poisoning is to detect ARP request whose destination is not broadcast. If not, what's the best rule to get packets related to arp poisoning.

Thanks.

asked 24 May '15, 08:47

pktUser1001's gravatar image

pktUser1001
201495054
accept rate: 12%


One Answer:

0

If you already know that there is arp poisoning in the trace file, that's one thing. I'd do something like this as a display filter in your example. This would look for all arp requests whose IP is the gateway and whose source mac address is not the gateway's mac. Note, you can't just filter on all non-broadcasted ARP requests since often ARP requests are unicast (already-known ARP mappings will be queried periodically, unicasted to the mac address already understood to own the IP as a way of efficiently refreshing the ARP cache):

tshark -r example.pcap -Y 'arp.opcode==1&&arp.src.proto_ipv4=="172.16.0.1"&&!arp.src.hw_mac=="00:21:70:c0:56:f0"'

While it might be useful in post-incident analysis, practically speaking Wireshark is just not a good tool to use as a detection system for something like this. I highly recommend something like Snort, which is a dedicated intrusion detection system that watches packet streams for malicious content.

answered 25 May '15, 19:34

Quadratic's gravatar image

Quadratic
1.9k6928
accept rate: 13%

Thanks @Quadratic for the tshark command and the comment on snort. I accepted your answer. If you have any pointers to the following, please let me know: given a big pcap (you don't know the mappings of ip to mac yet), how do we detect the presence of arp poisoning/spoof by some tools or commands.

(25 May '15, 22:21) pktUser1001

If you have a large pcap, that filter is fine provided you know the gateway IP and MAC address. If it's a huge file you might want to chop it up with something like Wireshark's "editcap" command line utility to manage the queries but the method works.

Snort can take the '-r' flag to read a .pcap file also. It's more tailored for this but if the task is as simple as described then there's no reason you can't do it with Tshark/Wireshark. As a normal real-time intrusion detection tool Snort is definitely the way to go though.

(26 May '15, 18:20) Quadratic