Revision history [back]

Targeted ARP packets getting forward to broadcast

Hi all,

I've been working on a project that attempts to use ARP spoofing / poisoning for less nefarious purposes in the home security world (e.g. Circle and Firewalla). I've been observing a behavior that I can't seem to pin down and was hoping someone might be able to help me understand better what is going on.

I produce ARP packets that target specific devices on the network to spoof, and can observe expected packets in Wireshark like this from my laptop:

b8:27:eb:19:f1:1f b8:27:eb:19:f1:1f f0:18:98:14:2a:51 ARP 42 192.168.11.1 is at b8:27:eb:19:f1:1f

These packets are produced using ScaPy, and we do sometimes produce multiple of them at a time and send them out serially. However, eventually (there is always a time delay between it working as expected initially and then acting up), I start to identify packets produced by the spoofing machine that are ending up not at the target but instead broadcast to the entire network:

b8:27:eb:19:f1:1f b8:27:eb:19:f1:1f ff:ff:ff:ff:ff:ff ARP 60 192.168.11.1 is at b8:27:eb:19:f1:1f

These packets that end up at broadcast will still list the ARP layer with the correct sender and destination information:

Address Resolution Protocol (reply)
Hardware type: Ethernet (1)
Hardware size: 6
Protocol size: 4


But at the Ethernet layer I'm seeing broadcast as the Destination instead of the MAC of the true target:

Ethernet II, Src: b8:27:eb:19:f1:1f, Dst: ff:ff:ff:ff:ff:ff
Destination: ff:ff:ff:ff:ff:ff
Source: b8:27:eb:19:f1:1f
Type: ARP (0x0806)