What is the characteristic of spoofed ARP packets?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
2
down vote

favorite












Hi what is the characteristic of spoofed ARP packets? I want to know how to detect it but before that I have to know how can I call a packet a spoofed packet. I hope you can help me thank you.










share|improve this question









New contributor




Tiffany is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.















  • 2




    If there was really a difference between a legitimate ARP reply and an illegitimate ARP reply, then OS vendors would have something to detect that. You cannot tell the difference unless you already know the MAC address of the destination, and then you would not need to use ARP.
    – Ron Maupin♦
    1 hour ago














up vote
2
down vote

favorite












Hi what is the characteristic of spoofed ARP packets? I want to know how to detect it but before that I have to know how can I call a packet a spoofed packet. I hope you can help me thank you.










share|improve this question









New contributor




Tiffany is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.















  • 2




    If there was really a difference between a legitimate ARP reply and an illegitimate ARP reply, then OS vendors would have something to detect that. You cannot tell the difference unless you already know the MAC address of the destination, and then you would not need to use ARP.
    – Ron Maupin♦
    1 hour ago












up vote
2
down vote

favorite









up vote
2
down vote

favorite











Hi what is the characteristic of spoofed ARP packets? I want to know how to detect it but before that I have to know how can I call a packet a spoofed packet. I hope you can help me thank you.










share|improve this question









New contributor




Tiffany is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











Hi what is the characteristic of spoofed ARP packets? I want to know how to detect it but before that I have to know how can I call a packet a spoofed packet. I hope you can help me thank you.







network arp security






share|improve this question









New contributor




Tiffany is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question









New contributor




Tiffany is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question








edited 21 mins ago









jonathanjo

6,145323




6,145323






New contributor




Tiffany is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked 1 hour ago









Tiffany

111




111




New contributor




Tiffany is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





Tiffany is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






Tiffany is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.







  • 2




    If there was really a difference between a legitimate ARP reply and an illegitimate ARP reply, then OS vendors would have something to detect that. You cannot tell the difference unless you already know the MAC address of the destination, and then you would not need to use ARP.
    – Ron Maupin♦
    1 hour ago












  • 2




    If there was really a difference between a legitimate ARP reply and an illegitimate ARP reply, then OS vendors would have something to detect that. You cannot tell the difference unless you already know the MAC address of the destination, and then you would not need to use ARP.
    – Ron Maupin♦
    1 hour ago







2




2




If there was really a difference between a legitimate ARP reply and an illegitimate ARP reply, then OS vendors would have something to detect that. You cannot tell the difference unless you already know the MAC address of the destination, and then you would not need to use ARP.
– Ron Maupin♦
1 hour ago




If there was really a difference between a legitimate ARP reply and an illegitimate ARP reply, then OS vendors would have something to detect that. You cannot tell the difference unless you already know the MAC address of the destination, and then you would not need to use ARP.
– Ron Maupin♦
1 hour ago










2 Answers
2






active

oldest

votes

















up vote
5
down vote













If you look at the packet, there is absolutely no difference in the format of a spoofed ARP reply and a real ARP reply: they look identical.



What makes a real ARP reply real? It came from the computer which legitimately has the queried IP address.



What makes a fake ARP reply fake? It came from a different computer than the one which really has that IP address.



Additionally there proxy ARP servers. These reply to ARP on behalf of the computer with the IP address, but are legitimate in that they are set up for this purpose by the network adminstrators.



As you can see, the only difference is whether they are legitimate or not.



If you monitor ARP on a network, it can be very hard to differentiate between



  • a computer changing its network card: a given IP address reponds to ARP with one MAC address and then a different one

  • an IP address being given from one computer to another by DHCP lease change or manual reconfiguration

  • two proxy ARP servers

  • ARP spoof replies





share|improve this answer





























    up vote
    1
    down vote













    In addition to jonathanjo's fine answer, there are ways to validate ARP reponses. Some switches allow you to configure DHCP snooping so that



    1. only authorized DHCP servers work (rogue DHCP offers are dropped)

    2. the snooped IP-MAC combination is constantly monitored on the switch, other combinations are dropped

    Of course, MAC addresses can be spoofed, too but that is another question.





    share




















    • Right, there is Dynamic ARP Inspection that works with DHCP Snooping.
      – Ron Maupin♦
      7 mins ago










    Your Answer







    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "496"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    convertImagesToLinks: false,
    noModals: false,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    noCode: true, onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );






    Tiffany is a new contributor. Be nice, and check out our Code of Conduct.









     

    draft saved


    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f53646%2fwhat-is-the-characteristic-of-spoofed-arp-packets%23new-answer', 'question_page');

    );

    Post as a guest






























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    5
    down vote













    If you look at the packet, there is absolutely no difference in the format of a spoofed ARP reply and a real ARP reply: they look identical.



    What makes a real ARP reply real? It came from the computer which legitimately has the queried IP address.



    What makes a fake ARP reply fake? It came from a different computer than the one which really has that IP address.



    Additionally there proxy ARP servers. These reply to ARP on behalf of the computer with the IP address, but are legitimate in that they are set up for this purpose by the network adminstrators.



    As you can see, the only difference is whether they are legitimate or not.



    If you monitor ARP on a network, it can be very hard to differentiate between



    • a computer changing its network card: a given IP address reponds to ARP with one MAC address and then a different one

    • an IP address being given from one computer to another by DHCP lease change or manual reconfiguration

    • two proxy ARP servers

    • ARP spoof replies





    share|improve this answer


























      up vote
      5
      down vote













      If you look at the packet, there is absolutely no difference in the format of a spoofed ARP reply and a real ARP reply: they look identical.



      What makes a real ARP reply real? It came from the computer which legitimately has the queried IP address.



      What makes a fake ARP reply fake? It came from a different computer than the one which really has that IP address.



      Additionally there proxy ARP servers. These reply to ARP on behalf of the computer with the IP address, but are legitimate in that they are set up for this purpose by the network adminstrators.



      As you can see, the only difference is whether they are legitimate or not.



      If you monitor ARP on a network, it can be very hard to differentiate between



      • a computer changing its network card: a given IP address reponds to ARP with one MAC address and then a different one

      • an IP address being given from one computer to another by DHCP lease change or manual reconfiguration

      • two proxy ARP servers

      • ARP spoof replies





      share|improve this answer
























        up vote
        5
        down vote










        up vote
        5
        down vote









        If you look at the packet, there is absolutely no difference in the format of a spoofed ARP reply and a real ARP reply: they look identical.



        What makes a real ARP reply real? It came from the computer which legitimately has the queried IP address.



        What makes a fake ARP reply fake? It came from a different computer than the one which really has that IP address.



        Additionally there proxy ARP servers. These reply to ARP on behalf of the computer with the IP address, but are legitimate in that they are set up for this purpose by the network adminstrators.



        As you can see, the only difference is whether they are legitimate or not.



        If you monitor ARP on a network, it can be very hard to differentiate between



        • a computer changing its network card: a given IP address reponds to ARP with one MAC address and then a different one

        • an IP address being given from one computer to another by DHCP lease change or manual reconfiguration

        • two proxy ARP servers

        • ARP spoof replies





        share|improve this answer














        If you look at the packet, there is absolutely no difference in the format of a spoofed ARP reply and a real ARP reply: they look identical.



        What makes a real ARP reply real? It came from the computer which legitimately has the queried IP address.



        What makes a fake ARP reply fake? It came from a different computer than the one which really has that IP address.



        Additionally there proxy ARP servers. These reply to ARP on behalf of the computer with the IP address, but are legitimate in that they are set up for this purpose by the network adminstrators.



        As you can see, the only difference is whether they are legitimate or not.



        If you monitor ARP on a network, it can be very hard to differentiate between



        • a computer changing its network card: a given IP address reponds to ARP with one MAC address and then a different one

        • an IP address being given from one computer to another by DHCP lease change or manual reconfiguration

        • two proxy ARP servers

        • ARP spoof replies






        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited 1 hour ago

























        answered 1 hour ago









        jonathanjo

        6,145323




        6,145323




















            up vote
            1
            down vote













            In addition to jonathanjo's fine answer, there are ways to validate ARP reponses. Some switches allow you to configure DHCP snooping so that



            1. only authorized DHCP servers work (rogue DHCP offers are dropped)

            2. the snooped IP-MAC combination is constantly monitored on the switch, other combinations are dropped

            Of course, MAC addresses can be spoofed, too but that is another question.





            share




















            • Right, there is Dynamic ARP Inspection that works with DHCP Snooping.
              – Ron Maupin♦
              7 mins ago














            up vote
            1
            down vote













            In addition to jonathanjo's fine answer, there are ways to validate ARP reponses. Some switches allow you to configure DHCP snooping so that



            1. only authorized DHCP servers work (rogue DHCP offers are dropped)

            2. the snooped IP-MAC combination is constantly monitored on the switch, other combinations are dropped

            Of course, MAC addresses can be spoofed, too but that is another question.





            share




















            • Right, there is Dynamic ARP Inspection that works with DHCP Snooping.
              – Ron Maupin♦
              7 mins ago












            up vote
            1
            down vote










            up vote
            1
            down vote









            In addition to jonathanjo's fine answer, there are ways to validate ARP reponses. Some switches allow you to configure DHCP snooping so that



            1. only authorized DHCP servers work (rogue DHCP offers are dropped)

            2. the snooped IP-MAC combination is constantly monitored on the switch, other combinations are dropped

            Of course, MAC addresses can be spoofed, too but that is another question.





            share












            In addition to jonathanjo's fine answer, there are ways to validate ARP reponses. Some switches allow you to configure DHCP snooping so that



            1. only authorized DHCP servers work (rogue DHCP offers are dropped)

            2. the snooped IP-MAC combination is constantly monitored on the switch, other combinations are dropped

            Of course, MAC addresses can be spoofed, too but that is another question.






            share











            share


            share










            answered 8 mins ago









            Zac67

            20.4k21047




            20.4k21047











            • Right, there is Dynamic ARP Inspection that works with DHCP Snooping.
              – Ron Maupin♦
              7 mins ago
















            • Right, there is Dynamic ARP Inspection that works with DHCP Snooping.
              – Ron Maupin♦
              7 mins ago















            Right, there is Dynamic ARP Inspection that works with DHCP Snooping.
            – Ron Maupin♦
            7 mins ago




            Right, there is Dynamic ARP Inspection that works with DHCP Snooping.
            – Ron Maupin♦
            7 mins ago










            Tiffany is a new contributor. Be nice, and check out our Code of Conduct.









             

            draft saved


            draft discarded


















            Tiffany is a new contributor. Be nice, and check out our Code of Conduct.












            Tiffany is a new contributor. Be nice, and check out our Code of Conduct.











            Tiffany is a new contributor. Be nice, and check out our Code of Conduct.













             


            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f53646%2fwhat-is-the-characteristic-of-spoofed-arp-packets%23new-answer', 'question_page');

            );

            Post as a guest













































































            Comments

            Popular posts from this blog

            What does second last employer means? [closed]

            Installing NextGIS Connect into QGIS 3?

            One-line joke