Is it real arp spoofing attack or capturing error in wireshark?
Well I was sharing internet to my linux laptop from android mobile through usb tethering.
during usage I decided to turn OFF ipv6 in the laptop network manager(network settings). As soon as I turned off the ipv6 and applied. 2 additional MAC addresses F1:F1:F1:F1:F1:F1 and F2:F2:F2:F2:F2:F2 appeared in the wireshark capture and "duplicate use of 192.XXX.XX.XX1 detected!". The new MAC addresses were not identifiable in wireshark MAC lookup list. I am giving the detail below:
MAC XX:XX:XX:XX:XX:XX
IP Add 192.XXX.XX.XXX
Default Route 192.XXX.XX.XX1
DNS 192.XXX.XX.XX1
| S.no | IP | MAC | ARP Packets | Grat ARP packets | ARP spoofing |
|---------------------------------------------------------------------------------------------|
| 1 | 192.XXX.XX.XX1 | F1:F1:F1:F1:F1:F1 | 150 | 0 | Yes |
|---------------------------------------------------------------------------------------------|
| 2 | 192.XXX.XX.XX1 | YY:YY:YY:YY:YY:YY | 168 | 0 | Yes |
|---------------------------------------------------------------------------------------------|
| 3 | 192.XXX.XX.XX1 | F2:F2:F2:F2:F2:F2 | 27 | 0 | Yes |
|---------------------------------------------------------------------------------------------|
| 4 | 192.XXX.XX.XXX | XX:XX:XX:XX:XX:XX | 324 | 0 | No |
|_________________________________________________________________|
11138 2022-03-26 01:05:53.906137 F2:F2:F2:F2:F2:F2 ARP 44 Who has 192.XXX.XX.XXX? Tell 192.XXX.XX.XX1 (duplicate use of 192.XXX.XX.XX1 detected!)
11211 2022-03-26 01:05:54.902617 F2:F2:F2:F2:F2:F2 ARP 44 Who has 192.XXX.XX.XXX? Tell 192.XXX.XX.XX1 (duplicate use of 192.XXX.XX.XX1 detected!)
11261 2022-03-26 01:05:55.902647 F2:F2:F2:F2:F2:F2 ARP 44 Who has 192.XXX.XX.XXX? Tell 192.XXX.XX.XX1 (duplicate use of 192.XXX.XX.XX1 detected!)
11608 2022-03-26 01:06:20.202821 F2:F2:F2:F2:F2:F2 ARP 44 Who has 192.XXX.XX.XXX? Tell 192.XXX.XX.XX1 (duplicate use of 192.XXX.XX.XX1 detected!)
11927 2022-03-26 01:07:06.362551 F2:F2:F2:F2:F2:F2 ARP 44 Who has 192.XXX.XX.XXX? Tell 192.XXX.XX.XX1 (duplicate use of 192.XXX.XX.XX1 detected!)
12744 2022-03-26 01:08:50.525023 F1:F1:F1:F1:F1:F1 ARP 44 Who has 192.XXX.XX.XXX? Tell 192.XXX.XX.XX1 (duplicate use of 192.XXX.XX.XX1 detected!)
12812 2022-03-26 01:08:51.521235 F1:F1:F1:F1:F1:F1 ARP 44 Who has 192.XXX.XX.XXX? Tell 192.XXX.XX.XX1 (duplicate use of 192.XXX.XX.XX1 detected!)
Also there is additional information "11080 UDP: Possible traceroute: hop #2, attempt #1"
11080 UDP: Standard query 0x7ff7 A exa*****.org OPT
and
14280 UDP: NTP Version 4, client
[Expert Info (Chat/Sequence): Possible traceroute: hop #5, attempt #1]
Additionally
tcp.flags.syn == 1 and tcp.flags.ack == 0 were 315(1.9%)
tcp.flags.syn == 1 and tcp.flags.ack == 1 were 219(1.3%)
so there is difference in both captures here I am referring this post
Spoofing with such addresses would be odd. However there is no listed use of these addresses not do I recall having seen them. Not all failover configuration protocols are very clearly defined.
Hugo there are not actual MAC addresses these are only indicative. I changed the actual MAC addresses and IP address for privacy.