Tools ARP Cache Poisoning Lead image: © elisanth,
© elisanth,

ARP cache poisoning and packet sniffing

Poisoned Pool

Intruders rely on ARP cache poisoning to conceal their presence on a local network. We'll show you some tools an attacker might use to poison the ARP cache and gather information on your network. By David J. Dodd

In a switched network environment, packets are sent to their destination port by MAC address. This process requires that the systems on the network maintain a table associating MAC addresses with ports. In a switched environment, packets are only sent to devices for which they are meant, but even then, there are ways to sniff other devices' packets. One such way is to spoof your MAC address and poison the ARP table. Because ARP keeps no state information, the ARP cache can be overwritten (unless an entry is explicitly marked as permanent).

ARP cache poisoning puts the attacker in a position to intercept communications between two computers. Computer A believes it is communicating with Computer B, but because of the poisoned ARP table, the communication actually goes to the attacker's computer. The attacker can then either respond to Computer A (pretending to be Computer B) or simply forward the packets to its intended destination, but only after the packet information is captured and logged for later use by the attacker. Likewise, the response from Computer B can be captured and logged by the attacker, who has also used ARP poisoning to make Computer B think the attacker's computer is Computer A. This type of attack is known as a man-in-the-middle attack.

In this article, I mention a number of tools used in ARP cache poisoning attacks, including ettercap, arpspoof, Nemesis, p0f, dsniff, and Scapy.

Running Ettercap

For ARP cache poisoning to take place, the attacker needs to be in the same network segment as the systems under attack. The first step is to obtain a list of IP addresses and their associated MAC addresses. Several tools will help you obtain this information. One example is the ettercap tool [1]. Ettercap is a suite for man-in-the-middle attacks made on a local LAN. It features sniffing of live connections, content filtering on the fly, and more. Ettercap supports active and passive dissection of many protocols, some of several protocols. The command

# ettercap -T -M arp:remote //

quickly sniffs all hosts within your subnet; to view the results, type L. Pressing the h key for the help menu outputs a list of commands.

ARP Cache DoS

The arpspoof tool from the dsniff suite [2], a free collection of tools for network auditing and penetration testing, allows ARP poisoning of a given IP address that knocks the system offline so it can't communicate with anyone. The dsniff suite includes tools such as dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy, which passively monitor networks for data of interest. The arpspoof, dnsspoof, and macof tools help intercept network traffic normally unavailable because of layer 2 switching.

Arpspoof [3] is much simpler than ettercap for redirecting packets:

# arpspoof -i eth0 -t <target> host

Specifying the interface is optional but required if more than one interface is present. The -t option specifies the particular host to ARP poison; if the host is not specified, all hosts on the LAN will be poisoned. The host can be the default gateway, and this will keep the target from communicating beyond the local segment. Arpspoof redirects packets from a target host or all hosts on the LAN by forging ARP replies. The beauty of this program comes from the arp_send() function, which also uses libnet to spoof packets. arp_send() sends out one ARP packet with source/target IP and Ethernet hardware addresses supplied by the user. Libnet is a generic networking API that provides access to several protocols.

To better understand the ARP cache poisoning process, consider an alternative tool called Nemesis. If you have the IP and MAC of the intended target and host, you can use Nemesis to ARP poison the target. Nemesis [4] is a "command-line network packet crafting and injection utility" that can "craft and inject ARP, DNS, Ethernet, ICMP, IGMP, IP, OSPF, RIP, TCP, and UDP packets." By crafting your own packet with Nemesis, you can see how ARP cache poisoning works (Listing 1, line 3); then, you create a packet to send in the other direction (Listing 1, line 4). These two commands spoof ARP replies from to then from to and send bogus ARP replies to keep the ARP caches poisoned and traffic redirected. To make sure the cache stays poisoned, Listing 1 replays the commands every 10 seconds with a loop. (Nemesis arp options are shown in Table 1.)

Tabelle 1: Nemesis arp Options




Source IP address


Destination IP address


Sender's MAC address


Target MAC address


Source MAC address


Destination MAC address

Listing 1: Nemesis arp Packets

01 $ while true
02 > do
03 > sudo nemesis arp -v -r -d eth0 -S -D -h 00:22:6E:71:04:BB -m 00:0C:29:B2:78:9E -H  00:22:6E:71:04:BB -M  00:0C:29:B2:78:9E
04 > sudo nemesis arp -v -r -d eth0 -S -D -h  00:22:6E:71:04:BB -m 00:22:6B:7E:AD:7C -H  00:22:6E:71:04:BB -M  00:22:6B:7E:AD:7C
05 > echo "Redirecting"
06 > sleep 10
07 > done

Once these commands are run, the targeted box will be offline and unable to communicate with the rest of the network. A video I made demonstrates this attack [5].

Sniffing the LAN

One goal of ARP cache poisoning is to put the attacker in a position to capture and log network information. Intruders have several tools for listening on the LAN and logging data for later analysis. Ettercap's bridge mode lets you intercept packets that you can then read, sniff, or change before sending them on to the victim. Bridge mode requires two interfaces that are placed in the network segment. If you set up inline with network bridge mode, you are very hard to detect:

# ettercap -Tq -i eth0 -B eth1

The -i sets the primary interface as eth0, and -B sets the second bridging interface (Figure 1). If you run ettercap in the Gtk+ user interface, select Sniff | Bridged sniffing.

Ettercap's bridge mode.
Figure 1: Ettercap's bridge mode.

Logging Data

If you want to log all the packets in a file, you can use a number of tools, such as p0f, a passive OS fingerprinting and masquerade detection utility. p0f is useful for evidence or information gathering on servers, firewalls, and intrusion detection systems. Ettercap can also fingerprint hosts (find the running operating system) with the -P option; you just need to specify an open port. Once you find out what operating system is running on the target system, you can anticipate how the system will react:

# ettercap -Tq -P finger /

To get the p0f utility to write packets to a tcpdump snapshot, use -w:

p0f -w dumpfile.pcap

The dsniff utility is a tool in the dsniff suite described earlier. To write packets to a file, use:

dsniff -w dumpfile.pcap

With ettercap, you can dump packet data to a file with the -w option, too:

ettercap -T -M arp:remote / / -w dumpfile.pcap

It is easier and less intrusive if you sniff the traffic of a specific computer, rather than trying to sniff the whole LAN segment; otherwise, ettercap might crash.

To view the output, use Scapy [6] if you have a graphical PostScript/PDF viewer. Scapy is a powerful interactive packet manipulation program that has the ability to forge or decode packets of a wide number of protocols. With Scapy, you can perform such tasks as scanning, tracerouting, probing, unit testing, network discovery, tcpdump, tethereal, p0f, and more. Just type scapy at the terminal (Figure 2):

Scapy graphical output.
Figure 2: Scapy graphical output.
$ scapy
>>> a=rdpcap("/home/cr0wn/dumpfile.pcap")
>>> a
<dumpfile.pcap: TCP:9522 UDP:2386 IMCP:15 Other:611>
>>> a[423].pdfdump(layer_shift=1)

If you want to sniff traffic on a host, enter the following command at the Scapy prompt:

>>> sniff(filter="tcp and host", count=50)
>>> a=_
>>> a.nsummary()

This command sniffs the next 50 packets traveling the network on host (Figure 3).

Scapy sniffing traffic on a host.
Figure 3: Scapy sniffing traffic on a host.

If you use the sprintf() function, you can get even more control over what is displayed (Figure 4).

Controlling Scapy output.
Figure 4: Controlling Scapy output.
>>> pkts = sniff(prn=lambda x:x.sprintf("{IP:%IP.src% -> %IP.dst%\n}{Raw:%Raw.load%\n}"))

To sniff the common ports for mail clients, 25 and 110, enter the following command in Scapy:

>>> a=sniff(filter="tcp and ( port 25 or port 110 )", prn=lambda x:x.sprintf(" -> %IP.dst%:%TCP.dport% %2s,TCP.flags% : %TCP.payload%"))

This command sniffs for TCP on ports 25 and 110 and uses the lambda operator to denote anonymous functions with the sprintf() function for more control over displayed information (Figure 5).

Sniffing mail clients.
Figure 5: Sniffing mail clients.

Scapy can also graph what you are sniffing on the network by producing a simple diagram of packet flow. The conversations() method will create a conversation graph, which requires Graphviz and ImageMagick to work. With this command,

>>> a=sniff(iface="wlan0", prn=lambda x: x.summary())
>>> a.conversations()

Scapy sniffs the wireless interface (wlan0) connected to a foreign network and displays it graphically (Figure 6).

Sniffing a wireless network with Scapy.
Figure 6: Sniffing a wireless network with Scapy.


ARP Cache Poisoning allows any computer on the local area network to obtain one of the most powerful attack postures in network security, the man-in-the-middle (MITM) attack. An MITM attack enables an attacker to monitor, filter, modify, and edit any and all network traffic moving between LANs.

In this article, I identified some open source tools that you can use to test your network's susceptibility to an ARP cache MITM attack. By making yourself familiar with these tools, you can determine how secure your network really is.

A good defense against these techniques is to provide port security integrated into your switches and run arpwatch [7] to monitor address resolution protocol traffic on your network.

One way to protect network clients that engage in web browsing is to use HTTPS Everywhere [8] by the Electronic Frontier Foundation.

HTTPS Everywhere allows the use of HTTPS instead of ordinary HTTP, which passes information in cleartext and would be read by an attacker sniffing the local network segment. This scenario becomes more significant when using unknown wireless networks, like those you find at coffee shops or airports.