Arp Cache Poisoning and Packet Sniffing

In a switched network environment, packets are sent to their destination port by MAC address. This process requires that the systems on the network maintain a table associating MAC addresses to ports. In a switched environment, packets are only sent to devices that they are meant for. Even in this switched environment, there are ways to sniff other devices' packets. One such way is to spoof your MAC address and poison the arp table. Since arp keeps no state information, the arp cache can be overwritten (unless an entry is explicitly marked as permanent).

Arp cache poisoning puts the attacker in position to intercept communications between the two computers. Computer A believes it is communicating with Computer B, but because of the poisoned arp table, the communication actually goes to the attacker's computer. The attacker can then either respond to Computer A (pretending to be Computer B), or simply forward the packets to its intended destination, but only after the packet information is captured and logged for later use by the attacker. Likewise, the response from Computer B can be captured and logged by the attacker, who has also used Arp poisoning to make Computer B think the attacker's computer is Computer A. This type of attack is known as Man in the Middle attack.

This article covers a number of tools used in arp cache poisoning attacks, including ettercap, arpspoof, nemesis, p0f, dsniff, and scapy.

Running Ettercap

For arp cache poisoning to take place, the attacker needs to be in the same network segment as the systems under attack. The first step is to obtain a list of IP addresses and their associated MAC addresses. Several tools will help you obtain this information; one example is a tool called ettercap ( Ettercap is a suite for man in the middle attacks on a local LAN. It features sniffing of live connections, content filtering on the fly, and more. Ettercap supports active and passive dissection of many protocols some of several protocols. The following command:

# ettercap -T -M arp:remote //

will quickly sniff all hosts within your subnet; to view the results, type L or hit h for the help menu and you will see a list of commands.

Arp Cache DOS

To arp poison a given IP address and knock the system offline so it can't communicate with anyone, use arpspoof from the dsniff suite (, a free collection of tools for network auditing and penetration testing. The dsniff suite includes tools such as dsniff, filesnarf, mailsnarf, nsgsnarf, urlsnard, and webspy, which passively monitor a network for interesting data. (Arpspoof, dnsspoof, and macof tools facilitate the interception of network traffic normally unavailable to an attacker due to layer-2 switching.)

 Arpspoof ( is much simpler than ettercap for redirecting packets:

# arpspoof -i eth0 -t <target> host

Specifying the interface is optional but required if more than one interface is present. The -t option specifies the particular host to arp poison; if the host is not specified, all hosts on the LAN will be poisoned. The host can be the default gateway, and this will keep the target from communicating beyond the local segment. Arpspoof redirects packets from a target host or all hosts on the LAN by forging ARP replies. The beauty of this program comes from the arp_send() function, which also uses libnet to spoof packets. arp_send() sends out one arp packet with source/target IP and Ethernet hardware addresses supplied by the user. Libnet is a generic networking API that provides access to several protocols.

To better understand the arp cache poisoning process, consider an alternative tool called Nemesis. If you have the IP and MAC of the intended target and host, you can use Nemesis to arp poison the target. Nemesis ( is a command-line network packet crafting and injection utility. Nemesis can craft and inject ARP, DNS, ETHERNET, ICMP, IGMP, IP, OSPF, RIP, TCP, and UDP packets. By crafting your own packet using Nemesis, you can see how the arp cache poisoning works:

$ sudo nemesis arp -v -r -d eth0 -S \
-D -h 00:22:6E:71:04:BB -m 00:0C:29:B2:78:9E \
-H  00:22:6E:71:04:BB -M  00:0C:29:B2:78:9E

Then you create a packet to send in the other direction:

$ sudo nemesis arp -v -r -d eth0 -S \
-D -h  00:22:6E:71:04:BB -m 00:22:6B:7E:AD:7C \
-H  00:22:6E:71:04:BB -M  00:22:6B:7E:AD:7C

These two commands spoof ARP replies from to then from to The Nemesis arp option -S specifies the source IP address, -D specifies the destination IP address, -h specifies the sender's MAC address, -m shows the target MAC address, -H the source MAC address, and -M the destination MAC address. These two commands send bogus ARP replies to keep the ARP caches poisoned and traffic redirected.

To make sure the cache stays poisoned, replay the commands every 10 seconds with a loop.

$ while true


> sudo nemesis arp -v -r -d eth0 -S \
-D -h 00:22:6E:71:04:BB -m 00:0C:29:B2:78:9E \
-H  00:22:6E:71:04:BB -M  00:0C:29:B2:78:9E

> sudo nemesis arp -v -r -d eth0 -S \ 
-D -h  00:22:6E:71:04:BB -m 00:22:6B:7E:AD:7C \
-H  00:22:6E:71:04:BB -M  00:22:6B:7E:AD:7C

> echo “Redirecting”

> sleep 10

> done

Once this is done, the targeted box will be off line and unable to communicate with the rest of the network. I made a video on my site that demonstrates this attack and is available at

Sniffing the LAN

One goal of arp cache poisoning is to put the attacker in position to capture and log network information. Intruders have several tools for listening on the LAN and logging data for later analysis.

 Ettercap's bridge mode lets you you intercept packets that you can then read, sniff, or change before sending on to the victim. Bridge mode requires two interfaces that are placed in the network segment. If you set up inline with network bridge mode, you are very hard to detect.

# ettercap -Tq -i eth0 -B eth1

The -i sets the primary interface as eth0, the -B sets the second bridging interface. If you run ettercap in GTK+ user interface, select Sniff | Bridged sniffing.

Related content

comments powered by Disqus