Home > Articles > Security > Network Security

The Ingredients to ARP Poison

  • Print
  • + Share This
If you think the only thing between you and the Internet is a bunch of networking equipment, think again! Using ARP spoofing attacks, a hacker can see everything you send and receive from your computer. Cyrus Peikari and Seth Fogie discuss the theory of ARP spoofing and demonstrate how this type of attack is accomplished.
From the author of

Superficially, a network appears to be nothing more than a collection of hardware devices connected with a seemingly infinite supply of wire and RF waves (wireless networks). However, underneath this mostly visible layer exists another much more complex world full of packets, protocols, and data properties. It is in this virtual realm of the network that the communication challenge is fully experienced. However, it is only through the merger of the physical and virtual realms that networking will data flow correctly. One of the key ingredients in this complex scheme is the Address Resolution Protocol (ARP).

When data is sent out onto a network, it needs a way to find its destination. This is accomplished on several layers, depending on how far the data needs to travel. At the first layer, there exists an address called the Media Access Control address. This theoretically 100% unique value is systematically assigned to each and every network device that is produced. In other words, every network card, router, and switch has a pseudo-serial number that distinguishes it from every other network device in the world. However, the MAC address is used only to communicate within local networking segments, which are called subnets. Once the data passes through a router or switch to another network subnet, the next layer of addressing becomes important. This is because the database required to record every MAC address and its location would be too large for quick processing. Instead, other technologies, such as DNS (Domain Name Service), WINS (Windows Internet Naming Service), and IP (Internet Protocol) manage data flow the farther out the data travels. To facilitate this transmission of data, ARP was designed to act as the intermediary between IP and MAC addresses.

In short, ARP is responsible for managing the relationship between Media Access Control addresses and the IP addresses for network devices. This fundamental technology is part of the core of Internet functionality; in fact, without it a network will fail to work. However, it has been discovered that ARP information can be spoofed, or faked, to facilitate the control of all network data.

ARP Details

As mentioned, ARP is a helper protocol that assists in making networking a little bit easier, more efficient, and more reliable. Both IP addresses and MAC addresses provide an important part to networking. Not only does allowing the use of IP addresses provide a method for keeping internal networks separate from external networks, but IP addresses can also help to logically segment one network from another. While IP seems to single-handedly have delivery under control, relying solely on IP addressing would cause serious issues. For example, what happens if two computers on a network start using the same IP address? In a situation like this, chaos would reign, with both computers competing for each other's data. This is why each NIC has a unique address assigned to it.

Figure 1Figure 1 Ethereal capture of ARP request.

To handle the conversion during a data session, an ARP request is initially sent out by the client computer. This request basically asks the following question, "Will the computer with IP address xxx.xxx.xxx.xxx please send me your MAC address." (See Figure 1 for an example of ARP request). Since this information is important for data flow, ARP requests are sent out in broadcast mode, which means every computer on the LAN will receive the request. Eventually, the target computer receives the ARP request and sends back its MAC address back to the requesting computer. To save time in the future, this MAC address to IP address information is placed into a small database called the ARP table. If the destination is beyond the network's boundaries, the request is passed to the gateway devices, which uses the other technologies to find the target. Figure 2 illustrates this ARP process by showing you a before and after shot of an ARP table on Windows XP.

Figure 2Figure 2 ARP in action.

The first couple of lines show us the original ARP table. This is gotten by issuing the command "arp –a". As you can see, there is only one entry, which is the IP address of the Internet gateway device. Next, we perform a PING on another computer on the LAN, which results in a positive reply. However, as we discussed previously, my network card first discovered the MAC address of the target computer before any packets could be sent to it. This accomplished, the information is entered into the ARP table, and the PING commences. The final part of the screen shot shows us the new ARP table, which now includes the MAC address for the recently targeted computer.


"arp " will output a detailed ARP table in Linux.


Use the command "arp –d *" to delete the ARP table in Windows and "arp –d <hostname>" in Linux.


Use the "arp -s" command to manually add static ARP entries. It is useful for connecting to unaddressed Ethernet devices.

There are various other things that the use and understanding of ARP can facilitate. For example, if a new Ethernet device is added to an existing network, but it has no method of predefining an acceptable IP address, ARP can be used to statically assign an IP address to the device using the unique MAC address. Using the command "ARP -s 00-20-4A-24-BF-C1" will make an entry in the local ARP table that points to this device on the Ethernet. Now, a user can use tools such as TELNET and PING to send data to this new device, which will in turn respond. However, there are ways ARP can be abused as well.

  • + Share This
  • 🔖 Save To Your Account