ARP Spoofing Attack Analysis in Wireshark

We may have heard of many networking attack. ARP spoofing is one of the many networking attacks. ARP spoofing is a mechanism where ARP request is sent contentiously to a local area network by the attacker. If any ARP reply comes from the victim, the attacker’s MAC address is updated with the IP address of another real host so that the actual traffic goes to the attacker system instead of the real system. In this article, let us learn more details about ARP spoofing attack.

Tools to Use in ARP Spoofing Attack

There are many tools like Arpspoof, Cain & Abel, Arpoison, and Ettercap which are available to start the ARP spoofing.

Here is the screenshot to show how the mentioned tools can send the ARP request contentiously:

ARP Spoofing Attack in Details

Let us see some screenshots and understand the ARP spoofing step-by-step:

Step 1:

The attacker’s expectation is to get the ARP reply so that it can learn the victim’s MAC address. Now, if we go further in the given screenshot, we can see that there are 2 ARP replies from the and IP addresses. After this, the victim [ and] updates its ARP cache but did not query back. So, the entry in the ARP cache never gets corrected.

The ARP request packet numbers are 137 and 138. The ARP response packet numbers are 140 and 143.

Thus, the attacker finds the vulnerability by doing the ARP spoofing. This is called as the “entry of attack”.

Step 2:
The packet numbers are 141, 142 and 144, 146.

From the previous activity, attacker now has valid MAC addresses of and The next step for the attacker is to send the ICMP packet to the victim’s IP address. And we can see from the given screenshot that the attacker sent an ICMP packet and got an ICMP reply from and This means that both IP addresses [ and] are reachable.

Step 3:

We can see that there is the last ARP request for IP address to confirm that the host is active and it has the same MAC address of 08:00:27:dd:84:45.

The given packet number is 3358.

Step 4:

There are another ICMP request and response with the IP address. The packet numbers are 3367 and 3368.

We can think from here that the attacker is targeting the victim whose IP address is

Now, any information that comes from the IP address of or to IP reaches to the MAC address attacker whose IP address is

Step 5:

Once the attacker has access, it tries to establish an actual connection. From the given screenshot, we can see that the HTTP connection establishment is being tried from the attacker. There is a TCP connection inside the HTTP which means that there should be a 3-WAY handshake. These are the packet exchanges for TCP:


From the given screenshot, we can see that the attacker is retrying the SYN packet multiple times on different ports. The frame number 3460 to 3469. The packet number 3469 SYN is for port 80 which is HTTP.

Step 6:

The first successful TCP handshake is shown at the following packet numbers from the given screenshot:

4488: SYN frame from attacker
4489: SYN+ACK frame from
4490: ACK frame from attacker

Step 7:

Once the TCP connection is successful, the attacker is able to establish the HTTP connection [frame number 4491 to 4495] followed by the SSH connection [frame number 4500 to 4503].

Now, the attack has enough control so that it can do the following:

  • Session hijacking attack
  • Man in the middle attack [MITM]
  • Denial of Service (DoS) attack

How to Prevent the ARP Spoofing Attack

Here are some protections that can be taken to prevent the ARP spoofing attack:

  1. Use of “Static ARP” entries
  2. ARP spoofing detection and prevention software
  3. Packet filtering
  4. VPNs, etc.

Also, we could stop this from happening again if we use HTTPS instead of HTTP and use the SSL (Secure Socket layer) transport layer security. This is so that all communications are encrypted.


From this article, we got some basic idea on ARP spoofing attack and how it can access any system’s resource. Also, we now know how to stop this kind of attack. This information helps the network administrator or any system user to protect from ARP spoofing attack.

About the author

Bamdeb Ghosh

Bamdeb Ghosh is having hands-on experience in Wireless networking domain.He's an expert in Wireshark capture analysis on Wireless or Wired Networking along with knowledge of Android, Bluetooth, Linux commands and python. Follow his site: wifisharks.com