ARP cache poisoning: how a hacker can spy on your Wi-Fi


Last updated: November 3, 2023

We often talk about application vulnerabilities concerning human error, in this article, we will see that vulnerabilities can also come from network protocols.

The arp hides poisoning is an attack which consists in exploiting the flaw in the ARP protocol located in layer 3 of the OSI model. It consists of bombarding a router with ARP requests by making it believe that you are someone else. After a while, this will cause the ARP cache to update. The goal is to stand between the victim and his router in order to capture all the traffic between two remote machines.

What is the ARP protocol used for?

Le ARP protocol allows you to find out the physical address of a network card corresponding to an IP address, this is why it is called Address Resolution Protocol.

The ARP protocol is used to determine the MAC address of a remote machine. When a machine wants to know MAC address on the other hand, it sends to all the members of its subnet a packet arp who-as by asking what is the MAC address of the machine which has such ip address.

The machine that has this IP address will be the only one to respond by sending the sending machine an ARP response of the type "I am an IP address and here is my MAC address".

The machine that made the ARP request receives the response, updates its ARP cache and can therefore start sending messages.
The contents of this cache are temporary. This means that it will still be necessary to reiterate the sending of ARP request but much less frequently.

To view the contents of the cache on Windows, type the following command:

 arp -a

under Linux:


Where is the flaw in the ARP protocol?

With the ARP protocol, we can communicate our MAC address to a machine at any time by sending it a simple ARP reply packet. This will update its ARP cache. Now imagine sending an arp reply packet to a machine with false information ... This is when arp cache poisoning intervenes. We can easily pass for a machine that we are not and therefore intercepts the dialogue between two hosts.

How to carry out this attack?

During normal internet browsing, a user's data is sent to the router, then from the router, is sent to the web server.
During an ARP poisoning attack, the hacker will slip between the data sent by the user and the router.

Main The Middle

To carry out this type of attack and capture traffic between two remote hosts, it is possible to use different tools. Here we will use the tool "Ettercap"which specializes in this kind of attack.
Ettercap is free software. It is pre-installed on the Backtrack distribution (Kali Linux). To install it on another linux distribution, run the following command:

apt-get install ettercap wireshark

Once installed, all you have to do is type the following command in the terminal:

ettercap -T -q -M arp: remote / / -w "myfile"

Explanation of the command:

-T : launch ettercap in text mode
-M : indicates that we must place ourselves between the two IPs and that we want a "Man in the middle" attack
-w : save the result of the capture in a file

In my case the target machine has the IP address and the egress router has the IP address

Arp Poising

To end the attack and recover the data, press the q key.

Finally you can open the output file "myfile" with software like "Wireshark"to analyze each request made through the network.

EL JAOUARI is an author and trainer. Passionate about IT security and new technologies. His tutorials have helped many people to better master today's computer tools.