Hey guys, I have this .pcap file (download: https://goo.gl/1zqoGN) and I am a little confused. The capture file shows an arp poisoning attack, but my question is: why is the ip address 192.168.0.2 sending all these arp requests (packets 45 to 298)? Could someone explain? Thanks in advance. asked 17 Jul '15, 08:59  shad0w125 edited 17 Jul '15, 09:03 |
One Answer:
I don't think so. Looks more like a network sweep (IP scan via nmap or similar tools). If you want to scan all nodes in the local network you first need to know the MAC address of all possible addresses. The only strange thing is that the system first seems to have IP address 192.168.0.2 (see the gap in the ARP request) and the it changes its IP address to 192.168.0.3. I have no good explanation for that, but this does not look like an ARP poisioning attack. Regards answered 17 Jul '15, 10:46  Kurt Knochner ♦ |
Well, this is indeed a arp poisoning attack, I got it from a hacking forum to analyse it. By the way, I thought it was a kind of sweep but I was just wondering why it was there. Thanks.