ARP cache poisoning / ARP spoofing
Many people think that once they use a switch for connecting their local network they're safe from network sniffing.
Basically this is right because the traditional way of sniffing where a host can read all network packets just by accepting them (the so called "promiscous mode") is not possible.
However there are other means to achieve the same and because maybe some SysAdmins think they're safe from sniffing thus designing their network a bit more open it's even more dangerous.
The tool used here is called arpspoof
and is distributed in the dsniff package
What we do is the following:
We constantly send the victim computer ARP answers telling him that the MAC address belonging to the IP of the gateway machine (router) is our MAC address.
After some time the victim computer will believe us and makes a wrong entry in his ARP cache.
Next time the victim wants to send an IP packet to the gateway he sends the ethernet frame to our MAC address so actually we get the IP packet.
We do the same thing with the gateway machine just the other way round.
describes the ARP protocol.
In order to tell the victim
host that now we (our MAC address) are the one belonging to the IP of the gateway
enter the following command:
# arpspoof -t victim gateway
In a seperate shell we start the matching command to fool gateway
to belive we are victim
# arpspoof -t gateway victim
Don't forget to enable IP forwarding on your host so that the traffic goes through your host. Otherwise victim
will loose connectivity.
# echo 1 > /proc/sys/net/ipv4/ip_forward
Now watch all the traffic between the victim
host and the outside network going through your machine
# tcpdump host victim and not arp
SysAdmins beware of that threat! If you have users on your network you can't trust (e.g. in universities) use tools like
to monitor the changes of the MAC / IP address tables.