Beginner’s Guide to Sniffing with Arpspoof
Sniffing network traffic is an essential technique in cybersecurity, ethical hacking, and penetration testing. Arpspoof, a tool in the dsniff suite, is commonly used for ARP spoofing to intercept network packets. This guide will take you through the fundamentals of configuring and utilizing Arpspoof.
What is ARP Spoofing?
ARP (Address Resolution Protocol) spoofing is a type of attack where an attacker sends falsified ARP messages over a local network. By using this method, the attacker can connect their MAC address to the IP address of another device, typically a target computer or the default gateway. Consequently, the attacker can intercept, modify, or even block data sent between the target and the network gateway.
Common Uses of ARP Spoofing
- Man-in-the-Middle (MITM) Attacks: Intercepting and modifying traffic between two parties.
- Network Traffic Monitoring: Capturing and analyzing packets for security auditing or penetration testing.
- Session Hijacking: Gaining unauthorized access to ongoing sessions by stealing authentication cookies.
- Denial of Service (DoS): Disrupting network communication by associating multiple IPs to an attacker’s MAC address.
While ARP spoofing is often used for malicious purposes, it is also a valuable tool for Network Administrators and Ethical Hackers to identify vulnerabilities and enhance network security.
Introduction to Arpspoof Tool
Arpspoof is a command-line utility included in the dsniff suite that facilitates ARP spoofing. It works by sending ARP replies to misleading devices about the correct MAC address corresponding to a particular IP. Ethical Hackers and Penetration Testers use Arpspoof to perform MITM attacks and capture network traffic for security assessments.
Features of Arpspoof
- Simple command-line interface
- No need for additional configuration
- Works on Linux/macOS with the dsniff suite
- Lightweight and efficient for ARP poisoning
Step-by-Step Guide: Using Arpspoof for Network Sniffing
Prerequisites:
Before using Arpspoof, ensure you have:
- Root or sudo access on a Linux/macOS system
- Arpspoof installed as part of the dsniff package
- A target device IP and gateway IP within the same network
- Packet capture tools like Wireshark or tcpdump
Step 1: Install Arpspoof
If Arpspoof is not installed, install it using the following command:
| sudo apt update && sudo apt install dsniff |
Step 2: Enable IP Forwarding
To allow traffic to flow through your machine instead of being dropped, enable IP forwarding:
| echo 1 > /proc/sys/net/ipv4/ip_forward |
Here:
/proc/sys/net/ipv4/ip_forward
- This is a system file that controls IP forwarding in Linux.
- Writing 1 to it enables packet forwarding, allowing the system to act as a router.
Or use:
| sudo sysctl -w net.ipv4.ip_forward=1 |
Here:
Sysctl
- A command used to modify kernel parameters at runtime.
- Instead of modifying files in /proc/sys/, sysctl provides a more structured way to do so.
-w
- The -w flag is used with sysctl to write a new value immediately for a kernel parameter.
- Example: sudo sysctl -w net.ipv4.ip_forward=1 enables IP forwarding.
Step 3: Identify the Target and Gateway
Find the gateway and target device:
| ip route |
Here:
ip route
- A command that displays or modifies the kernel’s IP routing table.
- It shows routes (paths) used to send packets to different networks or devices.
Identify active devices on the network:
| arp -n |
Here:
arp -n displays the current ARP (Address Resolution Protocol) table, which maps IP addresses to MAC addresses on the network.
Step 4: Start ARP Spoofing
To redirect traffic from the target machine (192.168.1.100) to your system:
| sudo arpspoof -i eth0 -t 192.168.201.129 -r 192.168.201.2 |
Here:
- -i eth0 specifies the network interface to listen on (eth0 is the first Ethernet interface).
- -t 192.168.1.100 specifies the target (victim’s) IP address.
- -r 168.1.1 specifies the router’s IP address, telling the victim that the attacker’s machine is the gateway.
Step 5: Sniff Network Traffic
Once ARP spoofing is active, use tcpdump or Wireshark to capture packets:
Using tcpdump:
| sudo tcpdump -i eth0 -n |
Here:
- -i eth0 specifies the network interface to listen on (eth0 is the first Ethernet interface).
- -n prevents DNS resolution, showing only raw IP addresses instead of hostnames.
Using Wireshark:
- Open Wireshark
- Select the appropriate network interface
- Apply filters (e.g., http, tcp, udp) to analyze relevant traffic
Step 6: Stop ARP Spoofing & Cleanup
To stop the attack and restore normal ARP functionality:
- Stop Arpspoof by pressing Ctrl + C.
- Disable IP forwarding:
| echo 0 > /proc/sys/net/ipv4/ip_forward |
Here:
/proc/sys/net/ipv4/ip_forward
- This is a system file that controls IP forwarding in Linux.
- Writing 0 disables packet forwarding.
Reset ARP tables on the victim and gateway:
| sudo arp -d 192.168.201.1 && sudo arp -d 192.168.201.129 |
Here:
arp -d <IP> Deletes an ARP entry for the specified IP address, forcing the system to request a new ARP resolution.
- Restart the network services if needed:
| sudo systemctl restart networking |
This command restarts the networking service to reinitialize the network configuration.
Defense Against ARP Spoofing
To protect against ARP spoofing, consider:
- Using static ARP entries for critical devices
- Enabling port security on managed switches
- Using ARP monitoring tools like Arpwatch
- Implementing network segmentation and VPNs to encrypt traffic
In Conclusion
Arpspoof is a powerful tool for network traffic interception but should only be used ethically. Following this guide taught you how to install, use, and mitigate ARP spoofing attacks.
Check out other articles:
- Step-by-Step Guide for theHarvester Tool
- Steps for Effective DNS Footprinting
- The Ultimate Guide to SMTP and DNS Enumeration Practices
- Web Vulnerability Scanning with Nikto
- Mastering Network Discovery with Nmap: A Step-by-Step Guide
- What is Metasploit: A Practical Guide for Penetration Tester
- Shell GPT: A Practical Walkthrough
- Burp Suite: A Practical Walkthrough for Cybersecurity Enthusiasts
- Firewall Testing with Hping3: A Comprehensive Guide
- Session Hijacking Using Burp Suite
- Packet Sniffing with Snort: A Practical Guide
- Information Gathering using Spiderfoot: A Practical Walkthrough
- Practical Guide: Intercepting HTTPS Traffic with Burp Suite
- Spoofing MAC Address Using Macchanger tool
CEH v13 AI Training with InfosecTrain
InfosecTrain’s CEH v13 AI certification training course provides hands-on training, real-world attack simulations, and in-depth explanations of ARP spoofing techniques. It covers how attackers manipulate ARP tables to intercept network traffic, demonstrating tools like Arpspoof for ethical hacking. The course teaches detection and mitigation techniques to prevent unauthorized packet capture, enhancing cybersecurity skills. Through practical labs, learners gain expertise in identifying and countering sniffing threats effectively.
TRAINING CALENDAR of Upcoming Batches For CEH v13
| Start Date | End Date | Start - End Time | Batch Type | Training Mode | Batch Status | |
|---|---|---|---|---|---|---|
| 26-Jul-2025 | 31-Aug-2025 | 19:00 - 23:00 IST | Weekend | Online | [ Open ] | |
| 16-Aug-2025 | 28-Sep-2025 | 19:00 - 23:00 IST | Weekend | Online | [ Open ] |
1800-843-7890 (India)