Learning tools for working with the ARP protocol

The article will talk about a very simple protocol that can be used to attack networks. Consider what the protocol consists of and what tools are available to work with it.

ARP master data

Address Resolution Protocol (ARP) is a protocol that allows you to determine the MAC address of a device from a known IP address, although you can use the protocol to simply collect all the data about the subnet.

The protocol has been known for almost 40 years! (Considering the IPv4 version) The protocol description is in RFC 826. The RFC had several updates that dealt with various parts of the protocol, here are some of them:

  • RFC 5227 – recommendations for troubleshooting address conflicts if multiple devices use the same IP address,

  • RFC 5494 – description of extensions that can be used to work with various protocols. Among them: HYPERChannel, DHCP options, ATM ARP, HARP, Dual Mac FDDI, MAPOS, FC, DNS DHCID,

The whole operation of the protocol can be roughly divided into 3 steps, which it must process every time operating systems or devices on the network try to collect information about the subnet. Below is a list of steps:

  1. The device that is used to collect data collects a special request that will be sent to the entire subnet.

  2. All hosts on the subnet must respond if the requested data matches their characteristics (MAC or IP address).

  3. If the data of the request matched the data of the one who received the request, then he must respond with a pair of MAC address and IP address values.

The received data should be stored in a structure – ARP таблице. Depending on the implementation, this table can be updated, or it can be filled in once and used continuously while the device is connected to the network. By the way, the ARP table in all popular operating systems can be displayed with the commands:

arp -a


ip neigh

The structure of the package that is used to work with the protocol:

Tools for interaction and attacks

Let’s divide the set of tools for working with the protocol into several classes:

  1. Data exploration

  2. Creating and Manipulating Package Options

  3. Attack tools

Data exploration

Collecting data from the RFC and theoretically representing what the package consists of is only half the battle, now you need to look at the implementation, as it sometimes differs. To do this, you can use tools that are called sniffers. The most popular of them:

Tools are an interface that allows you to view specific data that network members fill out. Below is a variant of the parsed ARP packet opened in WireShark:

Thanks to the application interface, you can analyze how well the protocol works in terms of RFC and you can try to find data that could be used to destabilize the network. The test data that was recorded for display can be found here.

Creating and Manipulating Package Options

This set of tools involves low-level work with the package structure. Therefore, the tools will either be libraries for working with network interfaces and a protocol, or it will be specialized software that can allow you to manipulate individual fields of the package.

The most popular library-tool can be considered Scapy. This is both a library and an interactive tool at the same time, with its help, knowing only the basic elements of the Python programming language, you can fill in all the fields of the packages and send them to the network.

An example of a created package in Scapy:

Let’s try to make a custom package and send it to the network, the network is used as a test, we will send the request for a non-existent device at The listing of the mini application will look like this:

packet = ARP(pdst="")

For an example of a ready-made tool, let’s give nping – a tool that allows you to work with various protocols, among them there is ARP. To repeat the request that was made from Scapy, you can use the following command:

sudo nping --arp --arp-target-ip=''

Command result:

Attack tools

Oddly enough, although ARP is one of the simplest protocols, it is very important in carrying out MiTM attacks. Moreover, with the help of this protocol, 90% of the task of intercepting traffic in the network occurs, and the remaining 10% is completed by other tools and handlers of higher-level protocols.

That is, to carry out the attacks listed below, it is necessary that an attack be made on the ARP protocol, and then data that benefits from the attack is sent. Attacks that use ARP as a basis include:

The attack mechanism is quite simple, for success it is necessary that the network traffic passes through a point that the attacker controls. To do this, it can generate a large number of the same type of ARP packets that have certain values ​​inside.

In the ARP protocol, there are only 2 types of requests, this is a request that looks for a match between the MAC and IP addresses and the response to this request.

If you continue to generate unlimited responses that contain information about different IP addresses and one MAC address, then in this way you can update the route data for all network systems and force you to send data through the MAC + IP that constantly flickers in the network.

In practice, the attack can be implemented using the following tools:

The list contains only those tools that have fairly good documentation and have been tested to work. Below are the attack methods.

(BEFORE YOU START TESTING REAL NETWORKS: trying to handle large networks larger than /24 masks right away can be problematic). To prepare the machine, it is recommended to make a small adjustment:

sudo sysctl -w net.ipv4.ip_forward=1

sudo ip link set eth0 promisc on

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

sudo modprobe nf_conntrack

echo "1" > /proc/sys/net/netfilter/nf_conntrack_helper

The commands above are usually used to configure NAT processing, in this form it will be possible to process traffic from a large number of hosts and not disrupt the operation of the network under test at least for the first time. All settings above must be made independently, none of the listed tools for carrying out attacks are set.

How to run testing tools:

Scapy – an example of a script that can attack DNS and ARP can be found here


arpspoof -r ip ip.vi.c.tim ip.dest.i.na.tion


set arp.spoof.targets ip.of.subnet.ot.victim
arp.spoof on

Protection Mechanisms

Protection against traffic redirection can be implemented through several tools:

  1. The very equipment that is used to build the network. To date, almost all devices can detect ARP protocol anomalies. Therefore, it can be problematic to redirect traffic as the device will simply disable the port.

  2. Using third-party software that monitors network traffic. A small list of such tools can be found on the net in huge numbers. For example here such.

Sometimes, setting up and installing even one of the listed methods is neglected, and attackers have a chance to intercept and modify traffic.

The article was prepared as part of the start of the course network security. Learn more about the course and register for a free lesson at the link below.

Similar Posts

Leave a Reply