Skip to main content

ARP, the mystery protocol that makes a LAN work

Address Resolution Protocol

Usually, ARP just works and most people are blissfully unaware of it, but once in a while, I run into a problem.

ARP is the mystery protocol that makes a LAN work.  When a host wants to talk to another host on a LAN, it sends out a Who Has w.x.y.z message and gets an I Am reply. After that the system knows how to talk to each other using their MAC addresses and the LAN switch knows how to route the packets between the two hosts. 

Fail Over of Servers

This is all very nice when you are running an ordinary LAN, but the wheels tend to fall off when you run a system with redundancy and fail over.

What happens in a fail over case, is that some devices will remember the old connection and will refuse to talk to the backup host, because while the backup host has the same IP address as the now defunct host, its MAC address is different. The entries in the ARP table can take a very long time to time out, more than 8 minutes in most Linux systems.

The solution is to force an ARP table update in hosts on the LAN, using the arping command:
$ arping -A -c 1 -I em0

The above example will send an unsolicited I Am reply to device on the LAN. Read man arping for more details. (Some devices will respond to a request and some to an answer, so the best strategy is to send both to each device that you need to update, using the -U for one command and -A for the other.)

You can verify what is happening using tcpdump:
# tcpdump -lni em0 arp 

This is known as a gratuitous or unsolicited ARP to update a neighbour's cache.


Another problem arises when a backup system causes a LAN loop. 

Broadcasted ARP messages will get stuck in the loop and will clog up the LAN after a little while. The spanning tree protocol was devised to control ethernet switches and prevent loops, but in my experience it never works the way I want, so the best solution is to avoid making loops in the first place, rather than try to fix it using spanning tree.

ARP Poisoning

One of the myths surrounding a switched environment is that it prevents packet sniffing. It only makes it a little more awkward. Anyone can put their network card into promiscuous mode and capture packets between other hosts, by using ARP Spoofing. All you need is Ettercap.

ARP Cache

ARP is the Address Resolution Protocol. It is used to translate IP Addresses to MAC Addresses (Physical Address). A computer sends a query out to its broadcast domain asking who has a certain IP address. When the device at the IP address receives the packet it replies with its MAC Address and the requesting computer will log the response in its ARP cache. 

The ARP cache can be viewed by typing arp –a from the command-line:
Interface: --- 0x5
Internet Address Physical Address Type 00-0b-cd-ef-2c-ff dynamic 00-0e-7f-ef-b5-8d dynamic

ARP Spoofing

How ARP Spoofing works is by an attacker PC sending out fake ARP responses to victim PC’s stating that they are someone else, the victim PC then updates their ARP cache to direct traffic to the attacker. The attacker will log, read, or modify the packets and then forward them to the destination.

This can be done using arping as discussed above, or one can use EttercapEttercap provides a GUI which can be launched from the command-line using ettercap –G or it can be run from the command-line entirely.

Basic Sniffing

To watch traffic passing by on the network use:
# ettercap –Tzq –i eth0

This will put ettercap into text mode, it will not ARP scan the network and will be quiet. Only interesting traffic will be displayed as it passes and it will listen on interface eth0 (or em1 or wlan0... use ifconfig to see what is available).

Man In The Middle Attack 

To sniff traffic between 2 hosts the attacker can run the following command from his Linux work station:
# ettercap -i eth0 –T –M arp /victim_ip_A/ /victim_ip_B/

The –i switch is telling ettercap to use a specific interface, in this case eth0, the –T switch is telling ettercap to use the Text interface and the –M switch is telling ettercap to use the Man-in-Middle-Mode (MITM).

Sniffing Multiple Hosts 

Multiple hosts can be sniffed with a command such as:
# ettercap –i eth0 –T –M arp / / /

If traffic to a certain port only, such as Telnet need to be captured the command would look like:
# ettercap –i eth0 –T –M arp / / /

Sniffing All Hosts

To sniff traffic between all hosts on a small network:
# ettercap –T –M arp // //

Depending on the size of the network, this may cause dropped packets and performance issues and an angry IT person may eventually sneak up and hit you with an ugly stick.


  • Sniffing HTTPS
  • Collecting usernames and passwords
  • Injecting traffic
  • OS fingerprinting

Logging The Output

 To log the output of Ettercap you can use the following:
  • -L This will log both the packet detail (filename.ecp) and the info (filename.eci)
  • -l This will log only info (filename.eci)
  • -w Write output to a pcap file (viewable with Wireshark)

The syntax to log the output would be:
# ettercap –T –L filename –qM arp /ip_address_A/ /ip_address_B/

Other useful options:
  • -P use plugin (to view plugins use ettercap –TQ press p to view the plugin menu)
  • -c Compress the output (gzip)

Viewing The Output

The output from ettercap is a standard pcap file and can be viewed using etterlog, tcpdump, wireshark, or sent directly to the screen.

Using Ettercap for Fun and Profit

Ettercap can be used to perform MITM attacks and capture traffic between 2 hosts, just like the good folks at the NSA and GCHQ like to do.

Obviously this traffic can be parsed for useful information using grep.

You could run dsniff on the same PC and LAN card to run the traffic through that.

You could run driftnet to view any pictures that are passing the interface, or you could send the visited URL’s to your browser to see what other LAN users are doing and pretty soon, you will feel like a veritable Eddy Snowden.


Note that the ettercap syntax differs slightly from version to version.

To MITM someone you may need either:
# ettercap -i eth0 –T –M arp /victim_ip_A/ /victim_ip_B/
# ettercap -i eth0 –T –M arp /victim_ip_A/port/ /victim_ip_B/port/

or to MITM everybody:
# ettercap -i eth0 –T –M arp // //
# ettercap -i eth0 –T –M arp /// ///

Thanks to Mohammad Aamir, who spotted a mistake.

Have fun!



Popular posts from this blog

Parasitic Quadrifilar Helical Antenna

This article was reprinted in OSCAR News, March 2018: If you want to receive Satellite Weather Pictures , then you need a decent antenna, otherwise you will receive more noise than picture. For polar orbit satellites, one needs an antenna with a mushroom shaped radiation pattern .  It needs to have strong gain towards the horizon where the satellites are distant, less gain upwards where they are close and as little as possible downwards, which would be wasted and a source of noise.  Most satellites are spin stabilized and therefore the antenna also needs circular polarization, otherwise the received signal will flutter as the antennas rotate through nulls. The helical antenna, first proposed by Kraus in 1948, is the natural solution to circular polarized satellite communications.  It is a simple twisted wire - there seems to be nothing to it.  Various papers have been published on helix antennas, so the operation is pretty well understood. Therefore,

Weather Satellite Turnstile Antennas for the 2 meter Band

NEC2, 2 m band, 146 MHz, Yagi Turnstile Simulation and Build This article describes a Turnstile Antenna for the 2 meter band, 146 MHz amateur satcom, 137 MHz NOAA and Russian Meteor weather satellites.  Weather satellite reception is described here .  A quadrifilar helical antenna is described here .   Engineering, is the art of making what you need,  from what you can get. Radiation Pattern of the Three Element Yagi-Uda Antenna Once one combine and cross two Yagis, the pattern becomes distinctly twisted. The right hand polarization actually becomes visible in the radiation pattern plot, which I found really cool. Radiation Pattern of Six Element Turnstile Antenna Only a true RF Geek can appreciate the twisted invisible inner beauty of a herring bone antenna... Six Element Turnstile Antenna Essentially, it is three crosses on a stick.  The driven elements are broken in the middle at the drive points.  The other elements can go straight throug

To C or not to C, That is the Question

As most would know, the Kernighan and Ritchie C Programming Language is an improved version of B, which is a simplified version of BCPL, which is derived from ALGOL, which is the Ur computer language that started the whole madness, when Adam needed an operating system for his Abacus, to count Eve's apples in the garden of Eden in Iraq.  The result is that C is my favourite, most hated computer language , which I use for everything. At university, I learned FORTRAN with punch cards on a Sperry-Univac, in order to run SPICE, to simulate an operational amplifier.  Computers rapidly lost their glamour after that era! Nobody taught me C.  I bought the book and figured it out myself. Over time, I wrote a couple of assemblers, a linker-locator, various low level debuggers and schedulers and I even fixed a bug in a C compiler - not because I wanted to, but because I had to, to get the job done!   Much of my software work was down in the weeds with DSP and radio modems ( Synchronization,