What is the characteristic of spoofed ARP packets?

Clash Royale CLAN TAG#URR8PPP

up vote
2
down vote

favorite

Hi what is the characteristic of spoofed ARP packets? I want to know how to detect it but before that I have to know how can I call a packet a spoofed packet. I hope you can help me thank you.

network arp security

share|improve this question

edited 21 mins ago

jonathanjo

6,145323

asked 1 hour ago

Tiffany

111

New contributor

Tiffany is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  If there was really a difference between a legitimate ARP reply and an illegitimate ARP reply, then OS vendors would have something to detect that. You cannot tell the difference unless you already know the MAC address of the destination, and then you would not need to use ARP.
  – Ron Maupin♦
  1 hour ago
  

  
  
  
  

add a comment | 

up vote
2
down vote

favorite

Hi what is the characteristic of spoofed ARP packets? I want to know how to detect it but before that I have to know how can I call a packet a spoofed packet. I hope you can help me thank you.

network arp security

share|improve this question

edited 21 mins ago

jonathanjo

6,145323

asked 1 hour ago

Tiffany

111

New contributor

Tiffany is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  If there was really a difference between a legitimate ARP reply and an illegitimate ARP reply, then OS vendors would have something to detect that. You cannot tell the difference unless you already know the MAC address of the destination, and then you would not need to use ARP.
  – Ron Maupin♦
  1 hour ago
  

  
  
  
  

add a comment | 

up vote
2
down vote

favorite

up vote
2
down vote

favorite

Hi what is the characteristic of spoofed ARP packets? I want to know how to detect it but before that I have to know how can I call a packet a spoofed packet. I hope you can help me thank you.

network arp security

share|improve this question

edited 21 mins ago

jonathanjo

6,145323

asked 1 hour ago

Tiffany

111

New contributor

Tiffany is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

Hi what is the characteristic of spoofed ARP packets? I want to know how to detect it but before that I have to know how can I call a packet a spoofed packet. I hope you can help me thank you.

network arp security

network arp security

share|improve this question

edited 21 mins ago

jonathanjo

6,145323

asked 1 hour ago

Tiffany

111

New contributor

Tiffany is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

edited 21 mins ago

jonathanjo

6,145323

asked 1 hour ago

Tiffany

111

New contributor

Tiffany is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

share|improve this question

edited 21 mins ago

jonathanjo

6,145323

edited 21 mins ago

jonathanjo

6,145323

edited 21 mins ago

jonathanjo

6,145323

6,145323

asked 1 hour ago

Tiffany

111

New contributor

Tiffany is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked 1 hour ago

Tiffany

111

asked 1 hour ago

Tiffany

111

111

New contributor

Tiffany is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

New contributor

Tiffany is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

Tiffany is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  If there was really a difference between a legitimate ARP reply and an illegitimate ARP reply, then OS vendors would have something to detect that. You cannot tell the difference unless you already know the MAC address of the destination, and then you would not need to use ARP.
  – Ron Maupin♦
  1 hour ago
  

  
  
  
  

add a comment | 

• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  If there was really a difference between a legitimate ARP reply and an illegitimate ARP reply, then OS vendors would have something to detect that. You cannot tell the difference unless you already know the MAC address of the destination, and then you would not need to use ARP.
  – Ron Maupin♦
  1 hour ago
  

  
  
  
  

2

2

If there was really a difference between a legitimate ARP reply and an illegitimate ARP reply, then OS vendors would have something to detect that. You cannot tell the difference unless you already know the MAC address of the destination, and then you would not need to use ARP.
– Ron Maupin♦
1 hour ago

If there was really a difference between a legitimate ARP reply and an illegitimate ARP reply, then OS vendors would have something to detect that. You cannot tell the difference unless you already know the MAC address of the destination, and then you would not need to use ARP.
– Ron Maupin♦
1 hour ago

add a comment | 

2 Answers
2

active

oldest

votes

up vote
5
down vote

If you look at the packet, there is absolutely no difference in the format of a spoofed ARP reply and a real ARP reply: they look identical.

What makes a real ARP reply real? It came from the computer which legitimately has the queried IP address.

What makes a fake ARP reply fake? It came from a different computer than the one which really has that IP address.

Additionally there proxy ARP servers. These reply to ARP on behalf of the computer with the IP address, but are legitimate in that they are set up for this purpose by the network adminstrators.

As you can see, the only difference is whether they are legitimate or not.

If you monitor ARP on a network, it can be very hard to differentiate between

• a computer changing its network card: a given IP address reponds to ARP with one MAC address and then a different one


• an IP address being given from one computer to another by DHCP lease change or manual reconfiguration


• two proxy ARP servers


• ARP spoof replies

share|improve this answer

edited 1 hour ago

answered 1 hour ago

jonathanjo

6,145323

add a comment | 

up vote
1
down vote

In addition to jonathanjo's fine answer, there are ways to validate ARP reponses. Some switches allow you to configure DHCP snooping so that

1. only authorized DHCP servers work (rogue DHCP offers are dropped)


2. the snooped IP-MAC combination is constantly monitored on the switch, other combinations are dropped

Of course, MAC addresses can be spoofed, too but that is another question.

share

answered 8 mins ago

Zac67

20.4k21047

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Right, there is Dynamic ARP Inspection that works with DHCP Snooping.
  – Ron Maupin♦
  7 mins ago
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "496"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

Tiffany is a new contributor. Be nice, and check out our Code of Conduct.

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f53646%2fwhat-is-the-characteristic-of-spoofed-arp-packets%23new-answer', 'question_page');

);

Post as a guest

Name Email

2 Answers
2

active

oldest

votes

2 Answers
2

active

oldest

votes

active

oldest

votes

active

oldest

votes

up vote
5
down vote

If you look at the packet, there is absolutely no difference in the format of a spoofed ARP reply and a real ARP reply: they look identical.

What makes a real ARP reply real? It came from the computer which legitimately has the queried IP address.

What makes a fake ARP reply fake? It came from a different computer than the one which really has that IP address.

Additionally there proxy ARP servers. These reply to ARP on behalf of the computer with the IP address, but are legitimate in that they are set up for this purpose by the network adminstrators.

As you can see, the only difference is whether they are legitimate or not.

If you monitor ARP on a network, it can be very hard to differentiate between

• a computer changing its network card: a given IP address reponds to ARP with one MAC address and then a different one


• an IP address being given from one computer to another by DHCP lease change or manual reconfiguration


• two proxy ARP servers


• ARP spoof replies

share|improve this answer

edited 1 hour ago

answered 1 hour ago

jonathanjo

6,145323

add a comment | 

up vote
5
down vote

If you look at the packet, there is absolutely no difference in the format of a spoofed ARP reply and a real ARP reply: they look identical.

What makes a real ARP reply real? It came from the computer which legitimately has the queried IP address.

What makes a fake ARP reply fake? It came from a different computer than the one which really has that IP address.

Additionally there proxy ARP servers. These reply to ARP on behalf of the computer with the IP address, but are legitimate in that they are set up for this purpose by the network adminstrators.

As you can see, the only difference is whether they are legitimate or not.

If you monitor ARP on a network, it can be very hard to differentiate between

• a computer changing its network card: a given IP address reponds to ARP with one MAC address and then a different one


• an IP address being given from one computer to another by DHCP lease change or manual reconfiguration


• two proxy ARP servers


• ARP spoof replies

share|improve this answer

edited 1 hour ago

answered 1 hour ago

jonathanjo

6,145323

add a comment | 

up vote
5
down vote

up vote
5
down vote

If you look at the packet, there is absolutely no difference in the format of a spoofed ARP reply and a real ARP reply: they look identical.

What makes a real ARP reply real? It came from the computer which legitimately has the queried IP address.

What makes a fake ARP reply fake? It came from a different computer than the one which really has that IP address.

Additionally there proxy ARP servers. These reply to ARP on behalf of the computer with the IP address, but are legitimate in that they are set up for this purpose by the network adminstrators.

As you can see, the only difference is whether they are legitimate or not.

If you monitor ARP on a network, it can be very hard to differentiate between

• a computer changing its network card: a given IP address reponds to ARP with one MAC address and then a different one


• an IP address being given from one computer to another by DHCP lease change or manual reconfiguration


• two proxy ARP servers


• ARP spoof replies

share|improve this answer

edited 1 hour ago

answered 1 hour ago

jonathanjo

6,145323

If you look at the packet, there is absolutely no difference in the format of a spoofed ARP reply and a real ARP reply: they look identical.

What makes a real ARP reply real? It came from the computer which legitimately has the queried IP address.

What makes a fake ARP reply fake? It came from a different computer than the one which really has that IP address.

Additionally there proxy ARP servers. These reply to ARP on behalf of the computer with the IP address, but are legitimate in that they are set up for this purpose by the network adminstrators.

As you can see, the only difference is whether they are legitimate or not.

If you monitor ARP on a network, it can be very hard to differentiate between

• a computer changing its network card: a given IP address reponds to ARP with one MAC address and then a different one


• an IP address being given from one computer to another by DHCP lease change or manual reconfiguration


• two proxy ARP servers


• ARP spoof replies

share|improve this answer

edited 1 hour ago

answered 1 hour ago

jonathanjo

6,145323

share|improve this answer

share|improve this answer

edited 1 hour ago

edited 1 hour ago

edited 1 hour ago

answered 1 hour ago

jonathanjo

6,145323

answered 1 hour ago

jonathanjo

6,145323

answered 1 hour ago

jonathanjo

6,145323

6,145323

add a comment | 

add a comment | 

up vote
1
down vote

In addition to jonathanjo's fine answer, there are ways to validate ARP reponses. Some switches allow you to configure DHCP snooping so that

1. only authorized DHCP servers work (rogue DHCP offers are dropped)


2. the snooped IP-MAC combination is constantly monitored on the switch, other combinations are dropped

Of course, MAC addresses can be spoofed, too but that is another question.

share

answered 8 mins ago

Zac67

20.4k21047

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Right, there is Dynamic ARP Inspection that works with DHCP Snooping.
  – Ron Maupin♦
  7 mins ago
  

  
  
  
  

add a comment | 

up vote
1
down vote

In addition to jonathanjo's fine answer, there are ways to validate ARP reponses. Some switches allow you to configure DHCP snooping so that

1. only authorized DHCP servers work (rogue DHCP offers are dropped)


2. the snooped IP-MAC combination is constantly monitored on the switch, other combinations are dropped

Of course, MAC addresses can be spoofed, too but that is another question.

share

answered 8 mins ago

Zac67

20.4k21047

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Right, there is Dynamic ARP Inspection that works with DHCP Snooping.
  – Ron Maupin♦
  7 mins ago
  

  
  
  
  

add a comment | 

up vote
1
down vote

up vote
1
down vote

In addition to jonathanjo's fine answer, there are ways to validate ARP reponses. Some switches allow you to configure DHCP snooping so that

1. only authorized DHCP servers work (rogue DHCP offers are dropped)


2. the snooped IP-MAC combination is constantly monitored on the switch, other combinations are dropped

Of course, MAC addresses can be spoofed, too but that is another question.

share

answered 8 mins ago

Zac67

20.4k21047

In addition to jonathanjo's fine answer, there are ways to validate ARP reponses. Some switches allow you to configure DHCP snooping so that

1. only authorized DHCP servers work (rogue DHCP offers are dropped)


2. the snooped IP-MAC combination is constantly monitored on the switch, other combinations are dropped

Of course, MAC addresses can be spoofed, too but that is another question.

share

answered 8 mins ago

Zac67

20.4k21047

share

share

answered 8 mins ago

Zac67

20.4k21047

answered 8 mins ago

Zac67

20.4k21047

answered 8 mins ago

Zac67

20.4k21047

20.4k21047

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Right, there is Dynamic ARP Inspection that works with DHCP Snooping.
  – Ron Maupin♦
  7 mins ago
  

  
  
  
  

add a comment | 

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Right, there is Dynamic ARP Inspection that works with DHCP Snooping.
  – Ron Maupin♦
  7 mins ago
  

  
  
  
  

Right, there is Dynamic ARP Inspection that works with DHCP Snooping.
– Ron Maupin♦
7 mins ago

Right, there is Dynamic ARP Inspection that works with DHCP Snooping.
– Ron Maupin♦
7 mins ago

add a comment | 

Tiffany is a new contributor. Be nice, and check out our Code of Conduct.

 

draft saved

draft discarded

Tiffany is a new contributor. Be nice, and check out our Code of Conduct.

Tiffany is a new contributor. Be nice, and check out our Code of Conduct.

Tiffany is a new contributor. Be nice, and check out our Code of Conduct.

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f53646%2fwhat-is-the-characteristic-of-spoofed-arp-packets%23new-answer', 'question_page');

);

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Name Email

Name

Email

Name Email

Name

Email