What is the characteristic of spoofed ARP packets?
Clash Royale CLAN TAG#URR8PPP
up vote
2
down vote
favorite
Hi what is the characteristic of spoofed ARP packets? I want to know how to detect it but before that I have to know how can I call a packet a spoofed packet. I hope you can help me thank you.
network arp security
New contributor
add a comment |Â
up vote
2
down vote
favorite
Hi what is the characteristic of spoofed ARP packets? I want to know how to detect it but before that I have to know how can I call a packet a spoofed packet. I hope you can help me thank you.
network arp security
New contributor
2
If there was really a difference between a legitimate ARP reply and an illegitimate ARP reply, then OS vendors would have something to detect that. You cannot tell the difference unless you already know the MAC address of the destination, and then you would not need to use ARP.
â Ron Maupinâ¦
1 hour ago
add a comment |Â
up vote
2
down vote
favorite
up vote
2
down vote
favorite
Hi what is the characteristic of spoofed ARP packets? I want to know how to detect it but before that I have to know how can I call a packet a spoofed packet. I hope you can help me thank you.
network arp security
New contributor
Hi what is the characteristic of spoofed ARP packets? I want to know how to detect it but before that I have to know how can I call a packet a spoofed packet. I hope you can help me thank you.
network arp security
network arp security
New contributor
New contributor
edited 21 mins ago
jonathanjo
6,145323
6,145323
New contributor
asked 1 hour ago
Tiffany
111
111
New contributor
New contributor
2
If there was really a difference between a legitimate ARP reply and an illegitimate ARP reply, then OS vendors would have something to detect that. You cannot tell the difference unless you already know the MAC address of the destination, and then you would not need to use ARP.
â Ron Maupinâ¦
1 hour ago
add a comment |Â
2
If there was really a difference between a legitimate ARP reply and an illegitimate ARP reply, then OS vendors would have something to detect that. You cannot tell the difference unless you already know the MAC address of the destination, and then you would not need to use ARP.
â Ron Maupinâ¦
1 hour ago
2
2
If there was really a difference between a legitimate ARP reply and an illegitimate ARP reply, then OS vendors would have something to detect that. You cannot tell the difference unless you already know the MAC address of the destination, and then you would not need to use ARP.
â Ron Maupinâ¦
1 hour ago
If there was really a difference between a legitimate ARP reply and an illegitimate ARP reply, then OS vendors would have something to detect that. You cannot tell the difference unless you already know the MAC address of the destination, and then you would not need to use ARP.
â Ron Maupinâ¦
1 hour ago
add a comment |Â
2 Answers
2
active
oldest
votes
up vote
5
down vote
If you look at the packet, there is absolutely no difference in the format of a spoofed ARP reply and a real ARP reply: they look identical.
What makes a real ARP reply real? It came from the computer which legitimately has the queried IP address.
What makes a fake ARP reply fake? It came from a different computer than the one which really has that IP address.
Additionally there proxy ARP servers. These reply to ARP on behalf of the computer with the IP address, but are legitimate in that they are set up for this purpose by the network adminstrators.
As you can see, the only difference is whether they are legitimate or not.
If you monitor ARP on a network, it can be very hard to differentiate between
- a computer changing its network card: a given IP address reponds to ARP with one MAC address and then a different one
- an IP address being given from one computer to another by DHCP lease change or manual reconfiguration
- two proxy ARP servers
- ARP spoof replies
add a comment |Â
up vote
1
down vote
In addition to jonathanjo's fine answer, there are ways to validate ARP reponses. Some switches allow you to configure DHCP snooping so that
- only authorized DHCP servers work (rogue DHCP offers are dropped)
- the snooped IP-MAC combination is constantly monitored on the switch, other combinations are dropped
Of course, MAC addresses can be spoofed, too but that is another question.
Right, there is Dynamic ARP Inspection that works with DHCP Snooping.
â Ron Maupinâ¦
7 mins ago
add a comment |Â
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
5
down vote
If you look at the packet, there is absolutely no difference in the format of a spoofed ARP reply and a real ARP reply: they look identical.
What makes a real ARP reply real? It came from the computer which legitimately has the queried IP address.
What makes a fake ARP reply fake? It came from a different computer than the one which really has that IP address.
Additionally there proxy ARP servers. These reply to ARP on behalf of the computer with the IP address, but are legitimate in that they are set up for this purpose by the network adminstrators.
As you can see, the only difference is whether they are legitimate or not.
If you monitor ARP on a network, it can be very hard to differentiate between
- a computer changing its network card: a given IP address reponds to ARP with one MAC address and then a different one
- an IP address being given from one computer to another by DHCP lease change or manual reconfiguration
- two proxy ARP servers
- ARP spoof replies
add a comment |Â
up vote
5
down vote
If you look at the packet, there is absolutely no difference in the format of a spoofed ARP reply and a real ARP reply: they look identical.
What makes a real ARP reply real? It came from the computer which legitimately has the queried IP address.
What makes a fake ARP reply fake? It came from a different computer than the one which really has that IP address.
Additionally there proxy ARP servers. These reply to ARP on behalf of the computer with the IP address, but are legitimate in that they are set up for this purpose by the network adminstrators.
As you can see, the only difference is whether they are legitimate or not.
If you monitor ARP on a network, it can be very hard to differentiate between
- a computer changing its network card: a given IP address reponds to ARP with one MAC address and then a different one
- an IP address being given from one computer to another by DHCP lease change or manual reconfiguration
- two proxy ARP servers
- ARP spoof replies
add a comment |Â
up vote
5
down vote
up vote
5
down vote
If you look at the packet, there is absolutely no difference in the format of a spoofed ARP reply and a real ARP reply: they look identical.
What makes a real ARP reply real? It came from the computer which legitimately has the queried IP address.
What makes a fake ARP reply fake? It came from a different computer than the one which really has that IP address.
Additionally there proxy ARP servers. These reply to ARP on behalf of the computer with the IP address, but are legitimate in that they are set up for this purpose by the network adminstrators.
As you can see, the only difference is whether they are legitimate or not.
If you monitor ARP on a network, it can be very hard to differentiate between
- a computer changing its network card: a given IP address reponds to ARP with one MAC address and then a different one
- an IP address being given from one computer to another by DHCP lease change or manual reconfiguration
- two proxy ARP servers
- ARP spoof replies
If you look at the packet, there is absolutely no difference in the format of a spoofed ARP reply and a real ARP reply: they look identical.
What makes a real ARP reply real? It came from the computer which legitimately has the queried IP address.
What makes a fake ARP reply fake? It came from a different computer than the one which really has that IP address.
Additionally there proxy ARP servers. These reply to ARP on behalf of the computer with the IP address, but are legitimate in that they are set up for this purpose by the network adminstrators.
As you can see, the only difference is whether they are legitimate or not.
If you monitor ARP on a network, it can be very hard to differentiate between
- a computer changing its network card: a given IP address reponds to ARP with one MAC address and then a different one
- an IP address being given from one computer to another by DHCP lease change or manual reconfiguration
- two proxy ARP servers
- ARP spoof replies
edited 1 hour ago
answered 1 hour ago
jonathanjo
6,145323
6,145323
add a comment |Â
add a comment |Â
up vote
1
down vote
In addition to jonathanjo's fine answer, there are ways to validate ARP reponses. Some switches allow you to configure DHCP snooping so that
- only authorized DHCP servers work (rogue DHCP offers are dropped)
- the snooped IP-MAC combination is constantly monitored on the switch, other combinations are dropped
Of course, MAC addresses can be spoofed, too but that is another question.
Right, there is Dynamic ARP Inspection that works with DHCP Snooping.
â Ron Maupinâ¦
7 mins ago
add a comment |Â
up vote
1
down vote
In addition to jonathanjo's fine answer, there are ways to validate ARP reponses. Some switches allow you to configure DHCP snooping so that
- only authorized DHCP servers work (rogue DHCP offers are dropped)
- the snooped IP-MAC combination is constantly monitored on the switch, other combinations are dropped
Of course, MAC addresses can be spoofed, too but that is another question.
Right, there is Dynamic ARP Inspection that works with DHCP Snooping.
â Ron Maupinâ¦
7 mins ago
add a comment |Â
up vote
1
down vote
up vote
1
down vote
In addition to jonathanjo's fine answer, there are ways to validate ARP reponses. Some switches allow you to configure DHCP snooping so that
- only authorized DHCP servers work (rogue DHCP offers are dropped)
- the snooped IP-MAC combination is constantly monitored on the switch, other combinations are dropped
Of course, MAC addresses can be spoofed, too but that is another question.
In addition to jonathanjo's fine answer, there are ways to validate ARP reponses. Some switches allow you to configure DHCP snooping so that
- only authorized DHCP servers work (rogue DHCP offers are dropped)
- the snooped IP-MAC combination is constantly monitored on the switch, other combinations are dropped
Of course, MAC addresses can be spoofed, too but that is another question.
answered 8 mins ago
Zac67
20.4k21047
20.4k21047
Right, there is Dynamic ARP Inspection that works with DHCP Snooping.
â Ron Maupinâ¦
7 mins ago
add a comment |Â
Right, there is Dynamic ARP Inspection that works with DHCP Snooping.
â Ron Maupinâ¦
7 mins ago
Right, there is Dynamic ARP Inspection that works with DHCP Snooping.
â Ron Maupinâ¦
7 mins ago
Right, there is Dynamic ARP Inspection that works with DHCP Snooping.
â Ron Maupinâ¦
7 mins ago
add a comment |Â
Tiffany is a new contributor. Be nice, and check out our Code of Conduct.
Tiffany is a new contributor. Be nice, and check out our Code of Conduct.
Tiffany is a new contributor. Be nice, and check out our Code of Conduct.
Tiffany is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f53646%2fwhat-is-the-characteristic-of-spoofed-arp-packets%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
2
If there was really a difference between a legitimate ARP reply and an illegitimate ARP reply, then OS vendors would have something to detect that. You cannot tell the difference unless you already know the MAC address of the destination, and then you would not need to use ARP.
â Ron Maupinâ¦
1 hour ago