Listen to this Post

Introduction:
In the labyrinth of local network communication, the Address Resolution Protocol (ARP) is both a fundamental necessity and a critical vulnerability. ARP spoofing, also known as ARP poisoning, allows an attacker on the same subnet to intercept, modify, or halt data in transit by associating their MAC address with the IP address of a legitimate device, such as a default gateway. This Man-in-the-Middle (MitM) technique is often the first step in advanced attacks like session hijacking or credential sniffing. Understanding how to detect this malicious activity in real-time is a cornerstone of proactive defensive security.
Learning Objectives:
- Understand the mechanics of ARP and how the spoofing attack exploits its stateless nature.
- Learn to implement a real-time packet sniffer in Python using the Scapy library.
- Master the analysis of network traffic to detect anomalies by tracking IP-to-MAC mappings.
- Gain practical skills in setting up a defensive monitoring tool on a Linux system.
- Explore mitigation strategies and commands to harden a network against such attacks.
You Should Know:
1. Project Overview: The Sentinel Script
The tool developed by Manthan Goswami is a lightweight, console-based packet sniffer written in Python. It leverages the Scapy library to listen for ARP packets on a network interface. Its core logic involves maintaining a live dictionary of known IP addresses and their associated MAC addresses. Whenever a new ARP packet is captured, the script checks if the IP is already in its table. If the IP exists but the MAC address is different from the previously recorded one, it immediately raises an alert, indicating a potential ARP spoofing attack.
- Step‑by‑Step Guide: Installing and Running the ARP Detector
To deploy this tool on your own Linux machine (Ubuntu/Debian based), follow these steps:
Step 1: Install Python and Pip
Ensure Python 3 and pip are installed.
sudo apt update sudo apt install python3 python3-pip -y
Step 2: Install Scapy
Scapy is a powerful Python library used for packet manipulation.
sudo pip3 install scapy
Step 3: Download the Script
Clone the repository or download the Python file directly.
git clone https://github.com/manthan-goswami/ARP-Spoofing-Detector.git cd ARP-Spoofing-Detector
(Note: The actual filename may vary; look for a `.py` file, often named `arp_detector.py` or similar.)
Step 4: Run the Sniffer
You need root privileges to capture raw packets.
sudo python3 arp_detector.py
The script will start listening. To test it, you can simulate an ARP spoofing attack from another machine on the same network using tools like `arpspoof` (from the `dsniff` package).
- Understanding the Core Logic: IP ↔ MAC Tracking
The script’s effectiveness relies on a simple but robust algorithm. Here is a pseudo-code breakdown of the detection mechanism: - Initialization: Create an empty dictionary (e.g.,
arp_table = {}). - Packet Capture: Sniff the network for ARP packets (opcode 1 for requests, opcode 2 for replies).
- Extraction: For each captured ARP packet, extract the source IP (
psrc) and source MAC (hwsrc).
4. Verification:
- If the IP is not in
arp_table, add the IP and its corresponding MAC as a new entry. - If the IP exists in
arp_table, compare the MAC from the packet with the MAC stored in the table.
- Alert: If the MAC addresses differ, print an alert:
"[!] Possible ARP Spoofing detected! IP {ip} is now at {new_mac}, but was at {old_mac}".
4. Simulating the Attack: Ethical Hacking Practice
To see the detector in action, you must understand how the attack is performed. This should only be done in a controlled lab environment.
On the Attacker Machine (e.g., Kali Linux):
- Enable IP forwarding to route traffic between the target and the gateway, ensuring the connection is not broken.
sudo echo 1 > /proc/sys/net/ipv4/ip_forward
- Use `arpspoof` to poison the target’s ARP cache, telling it that the attacker’s MAC is the gateway.
sudo arpspoof -i eth0 -t [bash] [bash]
- In another terminal, poison the gateway’s ARP cache, telling it that the attacker’s MAC is the target.
sudo arpspoof -i eth0 -t [bash] [bash]
Once these commands are running, the detector script on the target machine (or a monitoring machine) will instantly flag the MAC address change for the gateway IP.
5. Enhancing the Detector: Logging and Alerting
The base script can be modified for better operational use. You can add a logging feature to record attacks with timestamps.
Python Code Snippet for Logging:
from scapy.all import
import time
arp_table = {}
def process_packet(packet):
if packet.haslayer(ARP):
ip = packet[bash].psrc
mac = packet[bash].hwsrc
if ip in arp_table:
if arp_table[bash] != mac:
timestamp = time.strftime('%Y-%m-%d %H:%M:%S')
message = f"[{timestamp}] ALERT: IP {ip} is at {mac}, but was at {arp_table[bash]}"
print(message)
with open("arp_attacks.log", "a") as log_file:
log_file.write(message + "\n")
else:
arp_table[bash] = mac
print(f"[+] New mapping: {ip} --> {mac}")
sniff(prn=process_packet, filter="arp", store=0)
6. Defense in Depth: Network Hardening
Detection is crucial, but prevention is better. Here are Linux/Windows commands and configurations to mitigate ARP spoofing:
- Linux: Static ARP Entries
Define a static ARP entry for the gateway to prevent it from being overwritten.sudo arp -s [bash] [bash]
Note: This must be done on every client and can be cumbersome to manage.
-
Windows: Static ARP Entries
Open Command Prompt as Administrator.
netsh interface ipv4 add neighbors "Local Area Connection" [bash] [bash]
- Switch Configuration: Dynamic ARP Inspection (DAI)
On enterprise Cisco switches, DAI validates ARP packets in a network. It intercepts all ARP requests and responses on untrusted ports and verifies them against the DHCP snooping binding database before forwarding.ip dhcp snooping ip dhcp snooping vlan [vlan-id] interface [interface-id] ip dhcp snooping trust ip arp inspection vlan [vlan-id]
-
Using arpwatch
`arpwatch` is a legacy but effective tool that listens for ARP traffic and emails the admin when pairings change.sudo apt install arpwatch sudo systemctl start arpwatch
7. Advanced Detection: Cross-referencing with `tcpdump`
For a quick, manual check, you can use `tcpdump` to inspect suspicious ARP traffic. Look for multiple different MAC addresses claiming the same IP.
sudo tcpdump -i eth0 arp and arp[6:2] == 2 -n
This command filters for ARP replies. If you see a reply for your gateway IP coming from a MAC address that isn’t your actual gateway, an attack is underway.
What Undercode Say:
- Layered Visibility is Key: Relying solely on a single tool like this Python script provides a critical layer of host-level visibility. However, it must be complemented with network-level monitoring (like DAI on switches) and centralized logging (SIEM) to correlate events and manage larger infrastructures effectively.
- Simplicity Enables Rapid Response: This project exemplifies that effective security tools don’t require complex architectures. By focusing on a single, well-defined protocol behavior, the script offers a low-latency, high-fidelity alerting mechanism. For blue teams, integrating such lightweight agents can fill detection gaps left by heavier, signature-based IDS/IPS solutions, especially in segmented or resource-constrained environments.
Prediction:
As network encryption becomes ubiquitous (e.g., HTTPS, DNS over HTTPS), Man-in-the-Middle attacks are shifting focus back to the network layer. We will see a resurgence of ARP and NDP (Neighbor Discovery Protocol for IPv6) poisoning attempts as a means to force traffic decryption or perform denial of service. Consequently, defensive tools will evolve from simple detection to automated response—for instance, scripts that not only detect an ARP spoofing attack but automatically inject corrective static ARP entries or trigger firewall rules to block the offending MAC address, moving toward a self-healing network infrastructure.
▶️ Related Video (76% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Goswami Manthan – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


