Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

asked 2022-03-27 05:46:19 +0000

wolvo gravatar image

Is it real arp spoofing attack or capturing error in wireshark?

Well I was sharing internet to my linux laptop from android mobile through usb tethering.

during usage I decided to turn of ipv6 in the laptop network manager(network settings). As soon as I turned off the ipv6 and applied. 2 additional MAC addresses F1:F1:F1:F1:F1:F1 and F2:F2:F2:F2:F2:F2 appeared in the wireshark capture and "duplicate use of 192.XXX.XX.XX1 detected!". The new MAC addresses were not identifiable in wireshark MAC lookup list. I am giving the detail below:

MAC XX:XX:XX:XX:XX:XX

IP Add  192.XXX.XX.XXX

Default Route   192.XXX.XX.XX1

DNS     192.XXX.XX.XX1

|  S.no  |        IP         |         MAC         | ARP Packets | Grat ARP packets | ARP spoofing |
|--------------------------------------------------------------------------------------------------|
|    1   |   192.XXX.XX.XX1  |  F1:F1:F1:F1:F1:F1  |     150     |         0        |      Yes     |
|--------------------------------------------------------------------------------------------------|
|    2   |   192.XXX.XX.XX1  |  YY:YY:YY:YY:YY:YY  |     168     |         0        |      Yes     |
|--------------------------------------------------------------------------------------------------|
|    3   |   192.XXX.XX.XX1  |  F2:F2:F2:F2:F2:F2  |      27     |         0        |      Yes     |
|--------------------------------------------------------------------------------------------------|
|    4   |   192.XXX.XX.XXX  |  XX:XX:XX:XX:XX:XX  |     324     |         0        |      No      |
|__________________________________________________________________________________________________|


11138   2022-03-26 01:05:53.906137  F2:F2:F2:F2:F2:F2               ARP 44  Who has 192.XXX.XX.XXX? Tell 192.XXX.XX.XX1 (duplicate use of 192.XXX.XX.XX1 detected!)

11211   2022-03-26 01:05:54.902617  F2:F2:F2:F2:F2:F2               ARP 44  Who has 192.XXX.XX.XXX? Tell 192.XXX.XX.XX1 (duplicate use of 192.XXX.XX.XX1 detected!)

11261   2022-03-26 01:05:55.902647  F2:F2:F2:F2:F2:F2               ARP 44  Who has 192.XXX.XX.XXX? Tell 192.XXX.XX.XX1 (duplicate use of 192.XXX.XX.XX1 detected!)

11608   2022-03-26 01:06:20.202821  F2:F2:F2:F2:F2:F2               ARP 44  Who has 192.XXX.XX.XXX? Tell 192.XXX.XX.XX1 (duplicate use of 192.XXX.XX.XX1 detected!)

11927   2022-03-26 01:07:06.362551  F2:F2:F2:F2:F2:F2               ARP 44  Who has 192.XXX.XX.XXX? Tell 192.XXX.XX.XX1 (duplicate use of 192.XXX.XX.XX1 detected!)

12744   2022-03-26 01:08:50.525023  F1:F1:F1:F1:F1:F1               ARP 44  Who has 192.XXX.XX.XXX? Tell 192.XXX.XX.XX1 (duplicate use of 192.XXX.XX.XX1 detected!)

12812   2022-03-26 01:08:51.521235  F1:F1:F1:F1:F1:F1               ARP 44  Who has 192.XXX.XX.XXX? Tell 192.XXX.XX.XX1 (duplicate use of 192.XXX.XX.XX1 detected!)

Is it real arp spoofing attack or capturing error in wireshark?

Well I was sharing internet to my linux laptop from android mobile through usb tethering.

during usage I decided to turn of OFF ipv6 in the laptop network manager(network settings). As soon as I turned off the ipv6 and applied. 2 additional MAC addresses F1:F1:F1:F1:F1:F1 and F2:F2:F2:F2:F2:F2 appeared in the wireshark capture and "duplicate use of 192.XXX.XX.XX1 detected!". The new MAC addresses were not identifiable in wireshark MAC lookup list. I am giving the detail below:

MAC XX:XX:XX:XX:XX:XX

IP Add  192.XXX.XX.XXX

Default Route   192.XXX.XX.XX1

DNS     192.XXX.XX.XX1

|  S.no  |        IP         |         MAC         | ARP Packets | Grat ARP packets | ARP spoofing |
|--------------------------------------------------------------------------------------------------|
|    1   |   192.XXX.XX.XX1  |  F1:F1:F1:F1:F1:F1  |     150     |         0        |      Yes     |
|--------------------------------------------------------------------------------------------------|
|    2   |   192.XXX.XX.XX1  |  YY:YY:YY:YY:YY:YY  |     168     |         0        |      Yes     |
|--------------------------------------------------------------------------------------------------|
|    3   |   192.XXX.XX.XX1  |  F2:F2:F2:F2:F2:F2  |      27     |         0        |      Yes     |
|--------------------------------------------------------------------------------------------------|
|    4   |   192.XXX.XX.XXX  |  XX:XX:XX:XX:XX:XX  |     324     |         0        |      No      |
|__________________________________________________________________________________________________|


11138   2022-03-26 01:05:53.906137  F2:F2:F2:F2:F2:F2               ARP 44  Who has 192.XXX.XX.XXX? Tell 192.XXX.XX.XX1 (duplicate use of 192.XXX.XX.XX1 detected!)

11211   2022-03-26 01:05:54.902617  F2:F2:F2:F2:F2:F2               ARP 44  Who has 192.XXX.XX.XXX? Tell 192.XXX.XX.XX1 (duplicate use of 192.XXX.XX.XX1 detected!)

11261   2022-03-26 01:05:55.902647  F2:F2:F2:F2:F2:F2               ARP 44  Who has 192.XXX.XX.XXX? Tell 192.XXX.XX.XX1 (duplicate use of 192.XXX.XX.XX1 detected!)

11608   2022-03-26 01:06:20.202821  F2:F2:F2:F2:F2:F2               ARP 44  Who has 192.XXX.XX.XXX? Tell 192.XXX.XX.XX1 (duplicate use of 192.XXX.XX.XX1 detected!)

11927   2022-03-26 01:07:06.362551  F2:F2:F2:F2:F2:F2               ARP 44  Who has 192.XXX.XX.XXX? Tell 192.XXX.XX.XX1 (duplicate use of 192.XXX.XX.XX1 detected!)

12744   2022-03-26 01:08:50.525023  F1:F1:F1:F1:F1:F1               ARP 44  Who has 192.XXX.XX.XXX? Tell 192.XXX.XX.XX1 (duplicate use of 192.XXX.XX.XX1 detected!)

12812   2022-03-26 01:08:51.521235  F1:F1:F1:F1:F1:F1               ARP 44  Who has 192.XXX.XX.XXX? Tell 192.XXX.XX.XX1 (duplicate use of 192.XXX.XX.XX1 detected!)

Is it real arp spoofing attack or capturing error in wireshark?

Well I was sharing internet to my linux laptop from android mobile through usb tethering.

during usage I decided to turn OFF ipv6 in the laptop network manager(network settings). As soon as I turned off the ipv6 and applied. 2 additional MAC addresses F1:F1:F1:F1:F1:F1 and F2:F2:F2:F2:F2:F2 appeared in the wireshark capture and "duplicate use of 192.XXX.XX.XX1 detected!". The new MAC addresses were not identifiable in wireshark MAC lookup list. I am giving the detail below:

MAC XX:XX:XX:XX:XX:XX

IP Add  192.XXX.XX.XXX

Default Route   192.XXX.XX.XX1

DNS     192.XXX.XX.XX1

|  S.no  |        IP         |   |       MAC      | ARP Packets | Grat ARP packets | ARP spoofing |
|--------------------------------------------------------------------------------------------------|
|    1   |   192.XXX.XX.XX1  |  F1:F1:F1:F1:F1:F1  |     150     |     0        |      Yes     |
|--------------------------------------------------------------------------------------------------|
|    2   |   192.XXX.XX.XX1  |  YY:YY:YY:YY:YY:YY  |     168     |     0        |      Yes     |
|--------------------------------------------------------------------------------------------------|
|    3   |   192.XXX.XX.XX1  |  F2:F2:F2:F2:F2:F2  |      27     |      0        |      Yes     |
|--------------------------------------------------------------------------------------------------|
|    4   |   192.XXX.XX.XXX  |  XX:XX:XX:XX:XX:XX  |     324     |    0        |      No      |
|__________________________________________________________________________________________________|
|______________________________________________________________________|


11138   2022-03-26 01:05:53.906137  F2:F2:F2:F2:F2:F2               ARP 44  Who has 192.XXX.XX.XXX? Tell 192.XXX.XX.XX1 (duplicate use of 192.XXX.XX.XX1 detected!)

11211   2022-03-26 01:05:54.902617  F2:F2:F2:F2:F2:F2               ARP 44  Who has 192.XXX.XX.XXX? Tell 192.XXX.XX.XX1 (duplicate use of 192.XXX.XX.XX1 detected!)

11261   2022-03-26 01:05:55.902647  F2:F2:F2:F2:F2:F2               ARP 44  Who has 192.XXX.XX.XXX? Tell 192.XXX.XX.XX1 (duplicate use of 192.XXX.XX.XX1 detected!)

11608   2022-03-26 01:06:20.202821  F2:F2:F2:F2:F2:F2               ARP 44  Who has 192.XXX.XX.XXX? Tell 192.XXX.XX.XX1 (duplicate use of 192.XXX.XX.XX1 detected!)

11927   2022-03-26 01:07:06.362551  F2:F2:F2:F2:F2:F2               ARP 44  Who has 192.XXX.XX.XXX? Tell 192.XXX.XX.XX1 (duplicate use of 192.XXX.XX.XX1 detected!)

12744   2022-03-26 01:08:50.525023  F1:F1:F1:F1:F1:F1               ARP 44  Who has 192.XXX.XX.XXX? Tell 192.XXX.XX.XX1 (duplicate use of 192.XXX.XX.XX1 detected!)

12812   2022-03-26 01:08:51.521235  F1:F1:F1:F1:F1:F1               ARP 44  Who has 192.XXX.XX.XXX? Tell 192.XXX.XX.XX1 (duplicate use of 192.XXX.XX.XX1 detected!)

Is it real arp spoofing attack or capturing error in wireshark?

Well I was sharing internet to my linux laptop from android mobile through usb tethering.

during usage I decided to turn OFF ipv6 in the laptop network manager(network settings). As soon as I turned off the ipv6 and applied. 2 additional MAC addresses F1:F1:F1:F1:F1:F1 and F2:F2:F2:F2:F2:F2 appeared in the wireshark capture and "duplicate use of 192.XXX.XX.XX1 detected!". The new MAC addresses were not identifiable in wireshark MAC lookup list. I am giving the detail below:

MAC XX:XX:XX:XX:XX:XX

IP Add  192.XXX.XX.XXX

Default Route   192.XXX.XX.XX1

DNS     192.XXX.XX.XX1

|  S.no  |        IP      |       MAC     | ARP Packets | Grat ARP packets | ARP spoofing |
|--------------------------------------------------------------------------------------------------|
|   |---------------------------------------------------------------------------------------------|
|  1   |   192.XXX.XX.XX1  |  F1:F1:F1:F1:F1:F1  |     150     |    0        |      Yes     |
|--------------------------------------------------------------------------------------------------|
|   |---------------------------------------------------------------------------------------------|
|  2   |   192.XXX.XX.XX1  |  YY:YY:YY:YY:YY:YY  |     168     |    0        |      Yes     |
|--------------------------------------------------------------------------------------------------|
|   |---------------------------------------------------------------------------------------------|
|  3   |   192.XXX.XX.XX1  |  F2:F2:F2:F2:F2:F2  |      27     |     0        |      Yes     |
|--------------------------------------------------------------------------------------------------|
|   |---------------------------------------------------------------------------------------------|
|  4   |   192.XXX.XX.XXX  |  XX:XX:XX:XX:XX:XX  |     324     |   0        |      No      |
|______________________________________________________________________|
|_________________________________________________________________|


11138   2022-03-26 01:05:53.906137  F2:F2:F2:F2:F2:F2               ARP 44  Who has 192.XXX.XX.XXX? Tell 192.XXX.XX.XX1 (duplicate use of 192.XXX.XX.XX1 detected!)

11211   2022-03-26 01:05:54.902617  F2:F2:F2:F2:F2:F2               ARP 44  Who has 192.XXX.XX.XXX? Tell 192.XXX.XX.XX1 (duplicate use of 192.XXX.XX.XX1 detected!)

11261   2022-03-26 01:05:55.902647  F2:F2:F2:F2:F2:F2               ARP 44  Who has 192.XXX.XX.XXX? Tell 192.XXX.XX.XX1 (duplicate use of 192.XXX.XX.XX1 detected!)

11608   2022-03-26 01:06:20.202821  F2:F2:F2:F2:F2:F2               ARP 44  Who has 192.XXX.XX.XXX? Tell 192.XXX.XX.XX1 (duplicate use of 192.XXX.XX.XX1 detected!)

11927   2022-03-26 01:07:06.362551  F2:F2:F2:F2:F2:F2               ARP 44  Who has 192.XXX.XX.XXX? Tell 192.XXX.XX.XX1 (duplicate use of 192.XXX.XX.XX1 detected!)

12744   2022-03-26 01:08:50.525023  F1:F1:F1:F1:F1:F1               ARP 44  Who has 192.XXX.XX.XXX? Tell 192.XXX.XX.XX1 (duplicate use of 192.XXX.XX.XX1 detected!)

12812   2022-03-26 01:08:51.521235  F1:F1:F1:F1:F1:F1               ARP 44  Who has 192.XXX.XX.XXX? Tell 192.XXX.XX.XX1 (duplicate use of 192.XXX.XX.XX1 detected!)

Is it real arp spoofing attack or capturing error in wireshark?

Well I was sharing internet to my linux laptop from android mobile through usb tethering.

during usage I decided to turn OFF ipv6 in the laptop network manager(network settings). As soon as I turned off the ipv6 and applied. 2 additional MAC addresses F1:F1:F1:F1:F1:F1 and F2:F2:F2:F2:F2:F2 appeared in the wireshark capture and "duplicate use of 192.XXX.XX.XX1 detected!". The new MAC addresses were not identifiable in wireshark MAC lookup list. I am giving the detail below:

MAC XX:XX:XX:XX:XX:XX

IP Add  192.XXX.XX.XXX

Default Route   192.XXX.XX.XX1

DNS     192.XXX.XX.XX1

|  S.no  |        IP      |       MAC     | ARP Packets | Grat ARP packets | ARP spoofing |
|---------------------------------------------------------------------------------------------|
|  1   |   192.XXX.XX.XX1  |  F1:F1:F1:F1:F1:F1  |     150     |    0        |      Yes     |
|---------------------------------------------------------------------------------------------|
|  2   |   192.XXX.XX.XX1  |  YY:YY:YY:YY:YY:YY  |     168     |    0        |      Yes     |
|---------------------------------------------------------------------------------------------|
|  3   |   192.XXX.XX.XX1  |  F2:F2:F2:F2:F2:F2  |      27     |     0        |      Yes     |
|---------------------------------------------------------------------------------------------|
|  4   |   192.XXX.XX.XXX  |  XX:XX:XX:XX:XX:XX  |     324     |   0        |      No      |
|_________________________________________________________________|


11138   2022-03-26 01:05:53.906137  F2:F2:F2:F2:F2:F2               ARP 44  Who has 192.XXX.XX.XXX? Tell 192.XXX.XX.XX1 (duplicate use of 192.XXX.XX.XX1 detected!)

11211   2022-03-26 01:05:54.902617  F2:F2:F2:F2:F2:F2               ARP 44  Who has 192.XXX.XX.XXX? Tell 192.XXX.XX.XX1 (duplicate use of 192.XXX.XX.XX1 detected!)

11261   2022-03-26 01:05:55.902647  F2:F2:F2:F2:F2:F2               ARP 44  Who has 192.XXX.XX.XXX? Tell 192.XXX.XX.XX1 (duplicate use of 192.XXX.XX.XX1 detected!)

11608   2022-03-26 01:06:20.202821  F2:F2:F2:F2:F2:F2               ARP 44  Who has 192.XXX.XX.XXX? Tell 192.XXX.XX.XX1 (duplicate use of 192.XXX.XX.XX1 detected!)

11927   2022-03-26 01:07:06.362551  F2:F2:F2:F2:F2:F2               ARP 44  Who has 192.XXX.XX.XXX? Tell 192.XXX.XX.XX1 (duplicate use of 192.XXX.XX.XX1 detected!)

12744   2022-03-26 01:08:50.525023  F1:F1:F1:F1:F1:F1               ARP 44  Who has 192.XXX.XX.XXX? Tell 192.XXX.XX.XX1 (duplicate use of 192.XXX.XX.XX1 detected!)

12812   2022-03-26 01:08:51.521235  F1:F1:F1:F1:F1:F1               ARP 44  Who has 192.XXX.XX.XXX? Tell 192.XXX.XX.XX1 (duplicate use of 192.XXX.XX.XX1 detected!)

Also there is additional information "11080 UDP: Possible traceroute: hop #2, attempt #1"

11080 UDP: Standard query 0x7ff7 A exa*****.org OPT

and

14280 UDP: NTP Version 4, client

[Expert Info (Chat/Sequence): Possible traceroute: hop #5, attempt #1]

Is it real arp spoofing attack or capturing error in wireshark?

Well I was sharing internet to my linux laptop from android mobile through usb tethering.

during usage I decided to turn OFF ipv6 in the laptop network manager(network settings). As soon as I turned off the ipv6 and applied. 2 additional MAC addresses F1:F1:F1:F1:F1:F1 and F2:F2:F2:F2:F2:F2 appeared in the wireshark capture and "duplicate use of 192.XXX.XX.XX1 detected!". The new MAC addresses were not identifiable in wireshark MAC lookup list. I am giving the detail below:

MAC XX:XX:XX:XX:XX:XX

IP Add  192.XXX.XX.XXX

Default Route   192.XXX.XX.XX1

DNS     192.XXX.XX.XX1

|  S.no  |        IP      |       MAC     | ARP Packets | Grat ARP packets | ARP spoofing |
|---------------------------------------------------------------------------------------------|
|  1   |   192.XXX.XX.XX1  |  F1:F1:F1:F1:F1:F1  |     150     |    0        |      Yes     |
|---------------------------------------------------------------------------------------------|
|  2   |   192.XXX.XX.XX1  |  YY:YY:YY:YY:YY:YY  |     168     |    0        |      Yes     |
|---------------------------------------------------------------------------------------------|
|  3   |   192.XXX.XX.XX1  |  F2:F2:F2:F2:F2:F2  |      27     |     0        |      Yes     |
|---------------------------------------------------------------------------------------------|
|  4   |   192.XXX.XX.XXX  |  XX:XX:XX:XX:XX:XX  |     324     |   0        |      No      |
|_________________________________________________________________|


11138   2022-03-26 01:05:53.906137  F2:F2:F2:F2:F2:F2               ARP 44  Who has 192.XXX.XX.XXX? Tell 192.XXX.XX.XX1 (duplicate use of 192.XXX.XX.XX1 detected!)

11211   2022-03-26 01:05:54.902617  F2:F2:F2:F2:F2:F2               ARP 44  Who has 192.XXX.XX.XXX? Tell 192.XXX.XX.XX1 (duplicate use of 192.XXX.XX.XX1 detected!)

11261   2022-03-26 01:05:55.902647  F2:F2:F2:F2:F2:F2               ARP 44  Who has 192.XXX.XX.XXX? Tell 192.XXX.XX.XX1 (duplicate use of 192.XXX.XX.XX1 detected!)

11608   2022-03-26 01:06:20.202821  F2:F2:F2:F2:F2:F2               ARP 44  Who has 192.XXX.XX.XXX? Tell 192.XXX.XX.XX1 (duplicate use of 192.XXX.XX.XX1 detected!)

11927   2022-03-26 01:07:06.362551  F2:F2:F2:F2:F2:F2               ARP 44  Who has 192.XXX.XX.XXX? Tell 192.XXX.XX.XX1 (duplicate use of 192.XXX.XX.XX1 detected!)

12744   2022-03-26 01:08:50.525023  F1:F1:F1:F1:F1:F1               ARP 44  Who has 192.XXX.XX.XXX? Tell 192.XXX.XX.XX1 (duplicate use of 192.XXX.XX.XX1 detected!)

12812   2022-03-26 01:08:51.521235  F1:F1:F1:F1:F1:F1               ARP 44  Who has 192.XXX.XX.XXX? Tell 192.XXX.XX.XX1 (duplicate use of 192.XXX.XX.XX1 detected!)

Also there is additional information "11080 UDP: Possible traceroute: hop #2, attempt #1"

11080 UDP: Standard query 0x7ff7 A exa*****.org OPT

and

14280 UDP: NTP Version 4, client

[Expert Info (Chat/Sequence): Possible traceroute: hop #5, attempt #1]

Additionally 

tcp.flags.syn == 1 and tcp.flags.ack == 0          were 315(1.9%)

tcp.flags.syn == 1 and tcp.flags.ack == 1         were  219(1.3%)

so there is difference in both captures here I am referring this post