This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to detect ARP spoofing

0

Hi all, can this be consider ARP sproofing ? How can I find ARP sproofing because when i filter by arp i couldn't see it

192.168.60.7 was able to reach 192.168.100.1

then later there's a request to ask who is 192.168.60.7

finally i can see 192.168.60.7 unable to reach 192.168.100.1 at packet 50428

alt text

asked 12 Dec '16, 04:10

doran_lum's gravatar image

doran_lum
11111116
accept rate: 0%

edited 12 Dec '16, 21:08

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196


2 Answers:

0

Your screenshot looks more like a normal arp cache update as it is discussed here: https://ask.wireshark.org/questions/57174/seeing-lots-of-arp-requests-even-though-the-hosts-have-the-mac-address-in-their-arp-cache-already

ARP spoof looks like this:

192.168.2.1 is at ab:ab:ab:ab:ab:ab

And

192.168.2.1 is at 10:10:10:10:10:10

Where the mac addresses are just examples.

answered 12 Dec '16, 04:37

Christian_R's gravatar image

Christian_R
1.8k2625
accept rate: 16%

0

This is how ARP-spoofing attack looks in Wireshark:

alt text

Wireshark warns you by the message "(duplicate use of <ip> detected!)". In my case I used Intercepter NG to make the attack.

You can use filter expression "arp.duplicate-address-detected" to quickly find if there are any such occurences in your trace.

answered 12 Dec '16, 07:01

Packet_vlad's gravatar image

Packet_vlad
4361613
accept rate: 20%

edited 12 Dec '16, 07:03