arp spoofing

qrange · 09-17-2010, 07:45 AM

is there an easy way to detect which host is running arp spoofing/poisoning?

gratuitous_arp · 09-17-2010, 07:56 AM

You're looking for something that does dynamic arp inspection. One such program for Linux is ArpON; you can find others if you google around.

sem007 · 09-17-2010, 08:00 AM

Quote:

Originally Posted by qrange

is there an easy way to detect which host is running arp spoofing/poisoning?

You can use arpwatch

Regards,

qrange · 09-17-2010, 08:21 AM

thanks, but that does not help me. I can already see what MAC addresses are spoofed with arp -n
(or better yet arping -d)
what I want to know is which computer is spoofing them.

anomie · 09-20-2010, 02:19 PM

Contact your networking / switch admin(s)? They should be able to determine which port the MAC address is associated with, which should help determine the offender's physical location.

qrange · 09-21-2010, 01:47 AM

hm, but does the spoofed MAC address have to be the same as the computer that is sending fake ARP replies?
my guess not, and that any computer network interface can construct ARP packet as it pleases.
anyway, the admins are rather incompetent and don't believe me.

anomie · 09-21-2010, 11:58 AM

Can you describe more about your situation? It sounds like you're on a hostile subnet, and are receiving little or no network staff support. (Sometimes a technical solution is not the answer to a meatspace problem.)