This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Is my network a victim to ARP Spoofing?

0

Hi All,

I am not too familiar with understanding wireshark logs, but have tried to diagnose a recent network connectivity issue that is crippling our speeds.

I have been reading up on issues around the large amount of duplicate IP and ARP transactions, with a lot of resources saying its related to an ARP Spoofing attack. Would someone with a bit more experience on the matter be able to let me know if thats the case?

Here is the dump: https://www.cloudshark.org/captures/dc90369489a0

I really appreciate the support, thanks!

asked 05 Aug '15, 18:23

danr's gravatar image

danr
6113
accept rate: 0%


One Answer:

1

It looks indeed a little bit strange. There is a suspicious system in your trace, at least from my point of view.

The IP is 192.168.16.10 with the Mac 00:04:23:e1:2F:77 It sends always a an direct ARP Answer to all the devices and it als o sends constantly DHCP ACKs. This makes the system supsicious. There is another MAC the 00:04.23:e1:2f:76 with the IP Address 192.168.16.10.

If I were you, I would investigate this behaviour. But maybe it is just a new art of ARP and teaming implementation?

answered 05 Aug '15, 21:47

Christian_R's gravatar image

Christian_R
1.8k2625
accept rate: 16%

edited 05 Aug '15, 22:19

Thank you for your input Christian.

(05 Aug '15, 22:04) danr

But it has an FCS checksum of 0x0 so it be the system with the trace. Oh and I oversaw, that he is maybe the real DHCP server.

(05 Aug '15, 22:23) Christian_R

Correct, both MAC's are the adapters on the DHCP. Which I wasn't aware of at the time.

(06 Aug '15, 16:30) danr