Problem solve Get help with specific problems with your technologies, process and projects.

ARP spoofing detection

This tip addresses how to detect ARP spoofing.

Did you know that the address resolution protocol (ARP) can be used to attack your network, to sniff out your data,...

to glean passwords, even to take your network offline? Well, it can. How it can do this is too involved for discussion here. But there are things you can do to stop this from happening. This tip, excerpted from InformIT, discusses the first step in defeating ARP poison, detecting the problem. The entire article on InformIT explains how ARP attacks work as well.

One program that does this is arpwatch. This program basically monitors all ARP/IP address pairing and alerts its user when changes occur. It does this by listening on the network, much like a sniffer, and comparing all captured replies against a database. Other programs take a snapshot of all related IP/MAC addresses, and periodically request updates from networked computers. However, these methods often result in numerous false alarms due to DCHP networks, which dynamically assign IP addresses. (Editor's note: You can download a program called an Improved ARP Sniffer from Also, you can read a good article on sniffers at

The only real solution for avoiding ARP attacks is to encrypt all data passing over the network. Although this is a possibility, it is not commonly employed due to the processing overhead and complexity of setup.

To read the entire article from which this tip comes, click over to InformIT. You have to register there, but it doesn't cost you anything.

hile stopping ARP attacks is impossible due to the inherent part it plays in data transfer, spoofed ARP requests are very easy to detect. Although there are many tools and programs available that attempt to warn administrators of ARP attacks, they all basically work the same way.
This was last published in October 2002

Dig Deeper on Real-time network monitoring and forensics