Ask Your Question

Revision history [back]

Targeted ARP packets getting forward to broadcast

Hi all,

I've been working on a project that attempts to use ARP spoofing / poisoning for less nefarious purposes in the home security world (e.g. Circle and Firewalla). I've been observing a behavior that I can't seem to pin down and was hoping someone might be able to help me understand better what is going on.

I produce ARP packets that target specific devices on the network to spoof, and can observe expected packets in Wireshark like this from my laptop:

b8:27:eb:19:f1:1f b8:27:eb:19:f1:1f f0:18:98:14:2a:51 ARP 42 is at b8:27:eb:19:f1:1f

These packets are produced using ScaPy, and we do sometimes produce multiple of them at a time and send them out serially. However, eventually (there is always a time delay between it working as expected initially and then acting up), I start to identify packets produced by the spoofing machine that are ending up not at the target but instead broadcast to the entire network:

b8:27:eb:19:f1:1f b8:27:eb:19:f1:1f ff:ff:ff:ff:ff:ff ARP 60 is at b8:27:eb:19:f1:1f

These packets that end up at broadcast will still list the ARP layer with the correct sender and destination information:

Address Resolution Protocol (reply)    
Hardware type: Ethernet (1)
Hardware size: 6
Protocol size: 4
Opcode: reply (2)
Sender MAC address: b8:27:eb:19:f1:1f
Sender IP address: DD-WRT (
Target MAC address: a6:17:db:5a:05:64
Target IP address:iPhone.home (

But at the Ethernet layer I'm seeing broadcast as the Destination instead of the MAC of the true target:

Ethernet II, Src: b8:27:eb:19:f1:1f, Dst: ff:ff:ff:ff:ff:ff
Destination: ff:ff:ff:ff:ff:ff
Source: b8:27:eb:19:f1:1f
Type: ARP (0x0806)
Padding: 000000000000000000000000000000000000

I'm hoping someone can help me understand how these broadcasts that aren't explicitly sent to broadcast are ending up there anyway - is this an expected behavior, maybe for devices that aren't available to successfully receive the packet that was sent out? Is this behavior different by router model / manufacturer or expected based on the protocol and is otherwise universal? The current setup is running through a DD-WRT-based router. What's more, is there any way to prevent this from happening automatically?

Thanks in advance!