Keylogger Implementation

A PROJECT REPORT

Submitted by

Mrinal Kanti Sahoo

Rajesh Roy

in partial fulfilment for the award of the degree

of

BACHELOR OF SCIENCE (HONOURS) IN ADVANCED NETWORKING

AND CYBER SECURITY

IN

DEPARTMENT OF CYBER SCIENCE & TECHNOLOGY (CST)

BRAINWARE UNIVERSITY

398, Ramkrishnapur Rd, near Jagadighata Market,

Barasat, Kolkata, West Bengal 700125
 ARP Spoofing Detector

Submitted by

Deep Roy

Rohan Bag

Suraj Mondal

Sayan Shil

in partial fulfillment for the award of the degree

of

BACHELOR OF SCIENCE (HONOURS) IN ADVANCED NETWORKING

AND CYBER SECURITY

IN

DEPARTMENT OF CYBER SCIENCE & TECHNOLOGY (CST)

BRAINWARE UNIVERSITY

398, Ramkrishnapur Rd, near Jagadighata Market,

Barasat, Kolkata, West Bengal 700125
 BRAINWARE UNIVERSITY
398, Ramkrishnapur Road, Barasat, North 24 Parganas, Kolkata - 700 125

DEPARTMENT OF CYBER SCIENCE & TECHNOLOGY (CST)

BONAFIDE CERTIFICATE

Certified that this project report “ARP Spoofing Detector” is the bonafide work of “Deep Roy, Rohan Bag,
Suraj Mondal and Sayan Shil” who carried out the project work under my supervision.

SIGNATURE SIGNATURE

Mr. Anirban Lahiri Mr. Pratik Banerjee

HEAD OF THE DEPARTMENT SUPERVISOR

Assistant Professor Assistant Professor
Department of Cyber Science & Technology Department of Cyber Science & Technology
Brainware University Brainware University
 TABLE OF CONTENTS
Chapter Title Page No.
ABSTRACT LIST i ii
OF FIGURES iii
LIST OF ABBREVIATIONS

1. INTRODUCTION 1-3
1.1 Project Overview 1
1.2 Objectives 1
1.3 Scope 2-3

2. LITERATURE REVIEW 3-4

3. THEORY, METHODOLOGY, MATERIALS & METHODS 5-7

3.1 Theory 5
3.2 Materials 5-6
3.3 Methodology 6-7

4. IMPLEMENTATION, RESULTS, ANALYSIS & DISCUSSIONS 8-30

4.1 Implementation 8-26
4.2 Results 26-29
4.3 Analysis 29
4.4 Results 29-30

5. CONCLUSION, FUTURE SCOPE, LIMITATION 30-32

5.1 Conclusion 30-31
5.2 Future Scope 31-32
5.3 Limitation 32

REFERENCES 32-33
 i

ABSTRACT
Address Resolution Protocol (ARP) spoofing is a critical security threat in computer networks
where an attacker deceives the network by sending falsified ARP messages. This malicious
activity can lead to man-in-the-middle attacks, eavesdropping, and data manipulation,
compromising the integrity and confidentiality of network communications. This paper presents
the design and implementation of an ARP spoofing detector that efficiently identifies and
mitigates ARP spoofing attempts in real-time.
The proposed detector leverages a combination of anomaly detection techniques and heuristic
analysis to monitor ARP traffic and identify discrepancies indicative of spoofing attacks. By
maintaining a trusted ARP cache and cross-verifying ARP responses with this cache, the system
can promptly detect unauthorized ARP replies. Additionally, the detector incorporates machine
learning algorithms to enhance detection accuracy by learning from historical network behavior
patterns.
Evaluation of the detector demonstrates high detection accuracy with minimal false positives and
negligible impact on network performance. This solution provides a robust defense mechanism
against ARP spoofing, ensuring secure and reliable network communication.
 ii

LIST OF FIGURES

Figures Topic Page

Figures 1.1 to Figures 1.31 ARP Spoofing Detector Code 8-25

Figures 2.1 to Figures 2.2 Showing the whole ARP Spoofing code 25-26

Figures 3.1 to Figures 3.8 Testing 26-28

 iii

LIST OF ABBREVIATIONS

ARP- Address Resolution Protocol

IP- Internet Protocol
MAC- Media Access Control
DAI- Dynamic Address Resolution Protocol Inspection
S-ARP- Secure Address Resolution Protocol
TCP- Transmission Control Protocol
UDP- User Datagram Protocol
ICMP- Internet Control Massage Protocol
SRP- Single Responsibility Principle
DHCP- Dynamic Host Configuration Protocol
PKT- Process Knowledge Test
NS- Neighbor Solicitation
DNN- Deep Neural Networks
LAN- Local Area Network
IDS- Intrusion Detection Systems
DAI- Dynamic ARP Inspection
NA- Neighbor Advertisement
NDP- Neighbor Discovery Protocol
NIC- Network Interface Card
MITM- Man-in-the-Middle
DoS- Denial of Service
 1

1. Introduction
ARP (Address Resolution Protocol) spoofing detection refers to the techniques and tools used to
identify and prevent ARP spoofing attacks. ARP spoofing is a type of Cyber Attack where an attacker
sends fake ARP messages to associate their MAC address with the IP address of a legitimate device on a
network, allowing them to intercept, modify, or eavesdrop on traffic intended for the legitimate device.

1.1 project overview

ARP Spoofing Detector is a software tool designed to detect and prevent ARP spoofing attacks in a network. The
project aims to develop a robust and efficient system to:

- Monitor ARP traffic and identify suspicious activity

- Detect spoofed ARP packets and alert administrators
- Block malicious ARP packets to prevent attacks
- Provide real-time reporting and logging capabilities - Integrate with existing network infrastructure

The tool will utilize advanced algorithms and techniques to ensure high accuracy in detection, low false
positive rates, and real-time performance. The project will involve research, development, testing, and
deployment of the software tool, with a focus on scalability, flexibility, and user-friendliness.

The goal is to enhance network security and integrity by preventing unauthorized access and ensuring
the reliability of ARP communications. The project will be developed using programming languages
like Python, C++, or Java, and will operate on various operating systems, including Windows, Linux,
and macOS.

1.2 Objectives
The objective of an ARP spoofing detector is to identify and mitigate ARP spoofing attacks within a
network. ARP (Address Resolution Protocol) spoofing is a technique where an attacker sends false ARP
messages to a local area network, resulting in the linking of their MAC address with the IP address of a
legitimate computer or server on the network. This allows the attacker to intercept, modify, or block
data intended for the legitimate IP address.

Key Objectives of an ARP Spoofing Detector:

1. Detection: Identify instances of ARP spoofing by monitoring and analyzing ARP traffic in real-
time to spot discrepancies and suspicious activities.

2. Alerting: Notify network administrators when ARP spoofing is detected, providing details about
the nature of the attack, including source and target IP/MAC addresses.

3. Prevention: Take proactive measures to prevent ARP spoofing attacks from succeeding, such as
isolating the attacker or blocking malicious traffic.
 2

4. Logging: Maintain detailed logs of ARP traffic and detected spoofing attempts for analysis and
future reference.

5. Network Integrity: Ensure the integrity and reliability of network communications by

safeguarding against ARP-based attacks.

By achieving these objectives, an ARP spoofing detector helps maintain the security and functionality of
the network, protecting it from malicious activities that could compromise data integrity, confidentiality,
and availability.

1.3 Scope
An ARP (Address Resolution Protocol) spoofing detector focuses on identifying and preventing ARP spoofing
attacks. Here are the main aspects and scope of an ARP spoofing detector:

1. Network Traffic Monitoring: Monitoring ARP traffic to identify suspicious activity.

2. Spoofing Detection: Detecting spoofed ARP packets using advanced algorithms and techniques.

3. Alert and Notification: Alerting administrators and security teams of potential spoofing attacks.
4. Prevention and Blocking: Blocking malicious ARP packets to prevent
attacks.

5. Reporting and Logging: Providing real-time reporting and logging capabilities for incident
response and analysis.

6. Integration: Integrating with existing network infrastructure, such as switches, routers, and
firewalls.

7. Scalability: Ensuring the detector can handle large volumes of network traffic and scale with the
growing network.

8. Accuracy: Achieving high accuracy in detecting spoofing attacks while minimizing false positives.

9. User Interface: Developing a user-friendly interface for easy configuration, monitoring, and
management.

10. Compatibility: Ensuring compatibility with various operating systems, network devices, and
protocols.
 3

11. Security: Implementing appropriate security measures to protect the detector itself from potential
attacks.

12. Maintenance and Updates: Providing regular updates, maintenance, and support toensure the
detector remains effective against evolving threats.

2. Literature Review
ARP (Address Resolution Protocol) spoofing is a type of cyber attack where an attacker sends falsified
ARP messages over a local network. This results in the linking of the attacker's MAC address with the
IP address of a legitimate computer or server on the network. Once the attacker’s MAC address is linked
to a legitimate IP address, the attacker can receive any dataintended for that IP address. This type of
attack can lead to various security issues, including data interception, session hijacking, and man-in-the-
middle attacks.

Literature Review of ARP Spoofing Detectors

1. Traditional Methods

Static ARP Tables:

One of the earliest methods to prevent ARP spoofing involves using static ARP tables. By manually
setting IP-to-MAC address mappings, devices can avoid relying on ARP responses,which can be
spoofed. However, this method is impractical for large, dynamic networks due to the administrative
overhead.

Dynamic ARP Inspection (DAI):

Implemented in network switches, DAI inspects ARP packets and ensures their validity based on a
trusted database of IP-to-MAC mappings. This technique can effectively prevent ARP spoofing but
requires compatible hardware and proper network configuration.

2. Detection Algorithms and Techniques

Passive Detection Techniques:

These techniques involve monitoring the network for anomalies in ARP traffic without altering the
normal operation of the network. An example is the use of ARPwatch, a tool that monitors ARP
traffic on a network and alerts administrators of any suspicious changes.

Active Detection Techniques:

Active techniques involve sending probe packets and analyzing the responses to detect inconsistencies.
For example, some tools send ARP requests to suspect IP addresses and verify if multiple MAC
addresses respond, indicating a possible ARP spoofing attack.

Machine Learning Approaches:

Recent research has explored the use of machine learning to detect ARP spoofing. By trainingmodels on normal
 4

suggest an attack. Techniques like decision trees, neural networks, and support vector machines have shown
promise in accurately detecting ARP spoofing.

3. Specific Tools and Implementations

ARPwatch:
A widely used tool for passive ARP monitoring. ARPwatch logs IP-MAC pairings and alerts
administrators of any changes, which could indicate ARP spoofing.

XArp:
An advanced tool that provides both passive and active detection techniques. XArp uses complex heuristics and
graphical displays to help administrators identify and respond to ARP spoofing attempts.

Snort with ARP Spoof Preprocessor:

Snort, a popular network intrusion detection system (NIDS), can be extended with preprocessors to detect
ARP spoofing. These preprocessors analyze ARP traffic and compare it against known IP-MAC
mappings to identify discrepancies.

S-ARP (Secure ARP):

An enhancement to the ARP protocol that includes cryptographic signatures to verify the authenticity of
ARP messages. S-ARP aims to prevent ARP spoofing by ensuring that only authenticated ARP messages
are processed.

4. Challenges and Future Directions

Scalability:
Detecting ARP spoofing in large networks remains a challenge. Solutions need to be scalable
and capable of handling high volumes of traffic without introducing significant latency.

Evasion Techniques:
Attackers constantly evolve their methods to bypass detection. Advanced ARP spoofing attacks might use
techniques like timing variations or crafted packets to evade traditional detection mechanisms.

Integration with Other Security Measures:

Future research could focus on integrating ARP spoofing detectors with other network security tools, such as
firewalls and intrusion detection systems, to provide a more comprehensive security posture.

Real-time Detection:
Developing techniques that can detect ARP spoofing in real-time with minimal false positives is crucial.
Machine learning and AI-based approaches hold promise in achieving this goal.
 5

3. THEORY, METHODOLOGY, MATERIALS & METHODS

3.1 Theory

ARP (Address Resolution Protocol) Overview:

The Address Resolution Protocol (ARP) is a communication protocol used for discovering the link-layer
address, such as a MAC address, associated with a given IP address. ARP is essential for the functioning
of local area networks (LANs) as it facilitates the routing of packets to the correct hardware devices.

ARP Spoofing:
ARP spoofing, also known as ARP poisoning, is a type of cyberattack where an attacker sends false ARP
messages over a LAN. This allows the attacker to associate their MAC address with the IP address of
another device, such as a gateway or another host on the network. As a result, any traffic meant for that
IP address is sent to the attacker instead.

Impacts of ARP Spoofing:

- Man-in-the-Middle Attacks: The attacker can intercept and potentially modify the data being sent
between two devices.
- Denial of Service (DoS): By linking multiple IP addresses to a single MAC address, an attacker can
disrupt the normal network communication.
- Data Theft: Sensitive information such as passwords, session tokens, and personal data can be stolen. -
Network Reconnaissance: Attackers can gather information about the network and its devices.

ARP Spoofing Detection:

An ARP spoofing detector monitors ARP traffic on a network, identifies suspicious activities, and takes
steps to mitigate the impact of potential spoofing attacks. It typically involves packet capturing, traffic
analysis, anomaly detection, and response mechanisms.

3.2 Materials
To develop and implement an ARP spoofing detector, the following materials are required:
Hardware:
- A computer or server with network monitoring capabilities.
 6

- Network Interface Card (NIC) that supports promiscuous mode. - Reliable network infrastructure
(routers, switches, etc.).

Software:
- Operating System: Linux (preferred) or Windows.
- Network Monitoring Tools: Wireshark, Tcpdump.
- Packet Analysis Libraries: Scapy (Python).
- Development Environment: Python (with necessary libraries), or any other programming language that
supports network programming.
- Database Management System: SQLite, MySQL, or any lightweight database. - Alerting System:
Email server setup, logging tools (e.g., ELK Stack).

Documentation and References:

- ARP protocol specifications.
- Network security textbooks and online resources.
- Documentation for the chosen tools and libraries.

3.3 Methodology

Project Planning:
- Define the project scope and objectives.
- Identify the key requirements and functionalities of the ARP spoofing detector. - Create a project
timeline with milestones and deliverables.

Design and Development:

- Network Packet Capture:
- Implement a packet capture module using tools like pcap or Scapy.
- Filter captured packets to focus on ARP traffic.
- Packet Analysis:
- Develop an analysis engine to parse ARP packets and extract relevant fields.
- Implement validation checks against a database of legitimate IP-MAC mappings.
- Use anomaly detection algorithms to identify suspicious ARP packets.
- Database Management:
- Set up a database to store IP-MAC mappings and attack signatures.
 7

- Develop mechanisms to update the database with new entries and attack patterns.
- Response Mechanisms:
- Implement an alert system to notify administrators of detected ARP spoofing attempts.
- Develop mitigation strategies to respond to detected attacks, such as sending corrective ARP messages
or blocking malicious traffic.
- User Interface:
- Create a dashboard for real-time monitoring and management. - Provide a configuration interface for
updating settings and mappings.

Testing and Validation:

- Set up a controlled network environment to simulate ARP spoofing attacks.
- Test the detector's ability to capture and analyze ARP packets accurately.
- Validate the effectiveness of the response mechanisms. - Identify and fix any false positives or
negatives.

Deployment:
- Deploy the ARP spoofing detector on the target network.
- Monitor its performance and make necessary adjustments. - Train network administrators to use and
manage the detector effectively.

Documentation:
- Document the design and implementation process.
- Provide user manuals and troubleshooting guides. - Maintain logs of detected incidents and responses.

Evaluation:
- Evaluate the performance of the ARP spoofing detector based on predefined metrics (e.g., detection
accuracy, response time).
- Gather feedback from network administrators and users. - Make improvements based on the evaluation
results.

By following this methodology, the project aims to develop a robust ARP spoofing detector that
enhances network security and protects against potential ARP spoofing attacks.
 8

4.Implementation,Result,Analysis and Discussion.

4.1 Implementation

Figure 1.1
· This imports the necessary classes (ARP and Ether) and the srp
function from the Scapy library.
· ARP is used for creating ARP packets.
· Ether is used for creating Ethernet frames.
· srp is used to send and receive packets at the data link layer.

Figure 1.2

IPv6: This class is used to create and manipulate IPv6 packets.

ICMPv6ND_NS: This class is used to create ICMPv6 Neighbor Solicitation (NS) messages.

ICMPv6ND_NA: This class is used to create ICMPv6 Neighbor Advertisement (NA) messages.

Explanation of Each Class

IPv6

Used for crafting IPv6 packets, which are the main type of packet in IPv6 networks, similar
to IPv4 packets in IPv4 networks.

ICMPv6ND_NS (ICMPv6 Neighbor Solicitation)

Used for discovering the link-layer address (MAC address) of a neighbor on the same local
link.

Similar to ARP requests in IPv4 networks.

ICMPv6ND_NA (ICMPv6 Neighbor Advertisement)

Used to respond to Neighbor Solicitation messages.

Similar to ARP replies in IPv4 networks.

F
igure 1.3

Functions
 9

1. srp: Send and receive packets at the data link layer.

2. sniff: Capture packets from the network.
3. srp: This function is used to send packets and receive responses at layer 2 (data
link layer).
4. sniff: This function is used to capture packets from the network.

Figure 1.4

Explanation of the Packet Class

The Packet class in Scapy is a base class for creating various types of network packets.
It provides mechanisms to define packet fields, serialize and deserialize packets, and
interact with them in a structured manner

Figure 1.5

This function takes an IP address as an argument and returns the corresponding MAC
address if found.

Figure1.6

The line if ":" in ip_address: is used to check if an IP address is an IPv6 address. Here’s
a detailed explanation of this line of code and its context:

Explanation

1. This line checks if the string ip_address contains a colon (:).

2. IPv6 addresses use colons to separate groups of hexadecimal digits (e.g.,
2001:0db8:85a3:0000:0000:8a2e:0370:7334).
3. If the string contains a colon, it is likely an IPv6 address.

Context

When working with network addresses, it's important to handle IPv4 and IPv6
addresses differently because they have different formats and protocols.

Figure 1.7

The line return get_mac_ipv6(ip_address) is part of a function that distinguishes

between IPv4 and IPv6 addresses and then calls a specific function to get the MAC
 10

Explanation

• Purpose: This line indicates that if the given IP address is an IPv6 address, the
function get_mac_ipv6 is called with ip_address as its argument.
• Context: This is typically used in a function that handles both IPv4 and IPv6
addresses, delegating the task to separate functions for each type.

Figure 1.8

The line else: # IPv4 is part of a conditional statement that differentiates between
IPv6 and IPv4 addresses. It is used to execute a specific block of code when the IP
address being processed is determined to be IPv4.

Figure 1.9

The line return get_mac_ipv4(ip_address) is part of a function that determines

whether an IP address is IPv4 or IPv6 and then calls the appropriate helper function
to retrieve the MAC address. This specific line is executed when the IP address is
identified as an IPv4 address.

Explanation

• Purpose: This line calls the function get_mac_ipv4 with the given ip_address as
its argument to obtain the MAC address corresponding to the IPv4 address.
• Context: It is used within a conditional structure that checks whether the IP
address is IPv4 or IPv6.
•

Figure 1.10

The line def get_mac_ipv4(ipv4_addr): is the start of a function definition in Python

that is designed to retrieve the MAC address for a given IPv4 address. Here’s an in-
depth explanation:

Explanation

• def: This keyword is used to define a new function in Python.

 11

• ipv4_addr: This is the parameter for the function. It represents the IPv4 address
for which the MAC address is to be retrieved.

Purpose

The purpose of the get_mac_ipv4 function is to perform an Address Resolution

Protocol (ARP) request to find the MAC address corresponding to the specified IPv4
address.

Figure 1.11

The line arp_request = ARP(pdst=ipv4_addr) is used to create an ARP (Address

Resolution Protocol) request packet in Python using the Scapy library. Here’s a
detailed explanation:

Explanation

• ARP: This is a class provided by Scapy to create and manipulate ARP packets.
• pdst=ipv4_addr: This parameter sets the target IP address (the IPv4 address you
want to find the MAC address for) in the ARP request packet.

Purpose

The purpose of this line is to construct an ARP request packet that will be used to query
the network for the MAC address corresponding to the specified IPv4 address.

Detailed Breakdown

ARP Request Packet

o The ARP request packet is used to map an IP address to a MAC

address. In this case, we want to find the MAC address associated with
ipv4_addr.
o The ARP class allows you to create an ARP packet with various fields,
and by specifying pdst, you are setting the target IP address field of the
ARP request.

Setting the Target IP Address

pdst=ipv4_addr:

▪ pdst stands for "protocol destination address".

▪ This field specifies the IP address for which you want to find the
 12

▪ ipv4_addr is the variable containing the IPv4 address you are

querying.

Figure 1.12

The line br = Ether(dst="ff:ff:ff:ff:ff:ff") creates an Ethernet frame object in Python

using the Scapy library. Here’s a detailed explanation:

Explanation

• Ether: This is a class provided by Scapy to create and manipulate Ethernet

frames.
• dst="ff:ff:ff:ff:ff:ff": This parameter sets the destination MAC address of the
Ethernet frame to the broadcast address.

Purpose

The purpose of this line is to create an Ethernet frame that will be broadcast to all
devices on the local network. The broadcast address (ff:ff:ff:ff:ff:ff) ensures that the
frame is received by all network interfaces on the local network segment.

Detailed Breakdown

Ethernet Frame

An Ethernet frame is a fundamental unit of data at the data link layer (Layer 2) of the
OSI model.

It consists of various fields including the destination and source MAC addresses, type
field, and the payload (data).

Setting the Destination MAC Address

dst="ff:ff:ff:ff:ff:ff":

dst stands for "destination address".

Setting this to ff:ff:ff:ff:ff:ff means the frame is a broadcast frame, which will be sent to
all devices on the local network segment.

Figure 1.13

The line arp_req_br = br / arp_request is part of constructing a packet using the Scapy
 13

Explanation

• br / arp_request: This uses Scapy's syntax to combine two protocol layers: an

Ethernet frame (br) and an ARP request (arp_request).
• arp_req_br: This is the variable that stores the resulting combined packet.

Purpose

The purpose of this line is to create a complete packet that includes an Ethernet frame
encapsulating an ARP request. This combined packet can be sent over the network to
discover the MAC address corresponding to a given IP address.

Detailed Breakdown

Combining Layers in Scapy

o In Scapy, the / operator is used to stack protocol layers. The layer on the
left (br) is the lower layer, and the layer on the right (arp_request) is the
upper layer.
o br / arp_request creates a single packet where the ARP request is
encapsulated within the Ethernet frame.

Ethernet Frame (br)

br = Ether(dst="ff:ff:ff:ff:ff:ff"): An Ethernet frame with the destination MAC address

set to the broadcast address, meaning the frame will be sent to all devices on the local
network.

ARP Request (arp_request)

arp_request = ARP(pdst=ipv4_addr): An ARP request packet with the target IP address

set to ipv4_addr.

Combining the Layers

Combines the Ethernet frame and the ARP request into a single packet, stored in the
variable arp_req_br.

Figure 1.14
Purpose

The purpose of this line is to send the ARP request encapsulated in an Ethernet frame,
wait for responses from devices on the network, and store the list of responses in the
 14

Detailed Breakdown

Sending and Receiving Packets (srp) srp(arp_req_br, timeout=5, verbose=False): srp:

Sends the arp_req_br packet at Layer 2 (Ethernet) and listens for responses.

arp_req_br: The combined packet containing the Ethernet frame and ARP request.

timeout=5: Waits up to 5 seconds for responses. verbose=False: Suppresses detailed

output.

Extracting the Answered Packets List

The srp function returns a tuple with two elements: the first is the list of answered
packets, and the second is the list of unanswered packets.

extracts the list of answered packets from the tuple.

Figure 1.15

Explanation

• if answered_list:: This condition evaluates whether the answered_list contains any

elements (i.e., whether it is not empty).

Purpose

The purpose of this line is to determine if any ARP responses were received. If
answered_list is not empty, it indicates that at least one response was received to the
ARP request.

Detailed Breakdown

Checking the Condition

o answered_list: This variable holds the list of responses received from the
ARP request. It was populated by the srp function.
o The if statement checks if answered_list is truthy, which means it checks
if the list contains any items.
o If answered_list is not empty, the condition evaluates to True.
 15

o If answered_list is empty, the condition evaluates to False.

Figure 1.16

Certainly! The line return answered_list[0][1].hwsrc is used to extract and return the
MAC address (hardware source address) from the first response packet in the
answered_list. Here’s a detailed explanation:

Explanation answered_list[0][1].hwsrc: This expression accesses the MAC address

(source MAC address) from the second layer of the first packet in the answered_list.
Breakdown
answered_list: This variable holds a list of packets that were received as responses to an
ARP request.
[0] : Indexing with [0] retrieves the first packet from the list of answered packets. [1] :
Indexing with [1] accesses the second layer (Layer 2) of the packet, which typically
contains Ethernet information.
.hwsrc: Accesses the source MAC address (hardware source address) of the Ethernet
frame.

Purpose
The purpose of this line is to retrieve the MAC address of the device that responded to
the ARP request. ARP (Address Resolution Protocol) is used to map IP addresses to
MAC addresses on a local network, and this line specifically extracts the MAC
address of the device that has the IP address being queried.

Figure 1.17
Summary

• Purpose: The function get_mac_ipv6(ipv6_addr) is designed to send an

ICMPv6 Neighbor Solicitation packet to retrieve the MAC address associated
with a specified IPv6 address (ipv6_addr).
• Usage: This function leverages Scapy's capabilities to construct and send
network packets (IPv6 and ICMPv6ND_NS) and to handle network responses
(sr1), making it useful for network diagnostics and address resolution in IPv6
environments.

Figure 1.18
 16

The line ether = Ether(dst="33:33:00:00:00:01") is used to create an Ethernet frame

object in Python using the Scapy library. Here’s a breakdown of what this line does:

Explanation

• Ether: This is a class in Scapy that represents an Ethernet frame.

• dst="33:33:00:00:00:01": This parameter specifies the destination MAC address
for the Ethernet frame.

Detailed Breakdown

1. Ethernet Frame Creation

o ether = Ether(...): Initializes an Ethernet frame object and assigns it to the

variable ether.

2. Destination MAC Address (dst parameter)

o dst="33:33:00:00:00:01": Sets the destination MAC address of the

Ethernet frame to "33:33:00:00:00:01".
o The MAC address "33:33:00:00:00:01" is a multicast address typically
used for IPv6 multicast traffic. It represents a group of devices interested
in receiving IPv6 multicast packets.

Purpose

The purpose of creating this Ethernet frame is to prepare a packet that can be used to
send or receive data over an Ethernet network, specifically targeting devices interested
in receiving IPv6 multicast traffic.

Figure 1.19

The line ipv6 = IPv6(dst=ipv6_addr) is used to create an IPv6 packet object in Python
using the Scapy library. Here’s a detailed explanation of what this line does:

Explanation

• IPv6: This is a class in Scapy that represents an IPv6 packet.

• dst=ipv6_addr: This parameter specifies the destination IPv6 address for the
packet.

Detailed Breakdown
 17

o ipv6 = IPv6(...): Initializes an IPv6 packet object and assigns it to the

variable ipv6.

2. Destination IPv6 Address (dst parameter)

o dst=ipv6_addr: Sets the destination IPv6 address of the packet to the

value stored in the variable ipv6_addr.
o The ipv6_addr variable should contain a valid IPv6 address (e.g.,
"2001:db8::1"), indicating where the packet should be sent.

Purpose

The purpose of creating this IPv6 packet is to prepare a packet that can be used to
send or receive data over an IPv6 network, specifying the destination address where
the packet should be delivered.

Figure 1.20

The line ns = ICMPv6ND_NS(tgt=ipv6_addr) is used to create an ICMPv6 Neighbor

Solicitation (NS) packet in Python using the Scapy library. Here’s a detailed
explanation of what this line does:

Explanation

• ICMPv6ND_NS: This is a class in Scapy that represents an ICMPv6 Neighbor

Solicitation (NS) packet, used in IPv6 networks for address resolution.
• tgt=ipv6_addr: This parameter specifies the target IPv6 address (usually an IPv6
address of a neighboring node) for which the resolution is being requested.

Detailed Breakdown

1. ICMPv6 Neighbor Solicitation (NS) Packet Creation

o ns = ICMPv6ND_NS(...): Initializes an ICMPv6 Neighbor Solicitation

packet object and assigns it to the variable ns.

2. Target IPv6 Address (tgt parameter)

o tgt=ipv6_addr: Sets the target IPv6 address (tgt) field of the Neighbor
Solicitation packet to the value stored in the variable ipv6_addr.
o The ipv6_addr variable should contain a valid IPv6 address (e.g.,
"2001:db8::1"), specifying the IPv6 address of the node for which the
Neighbor Solicitation is being sent.
 18

Purpose

The purpose of creating this ICMPv6 Neighbor Solicitation packet is to prepare a

packet that can be used to resolve the link-layer address (MAC address) of a
neighboring IPv6 node on the same network segment.

Figure 1.21

Explanation

• ether: This variable holds an Ethernet frame object created using the Ether class
in Scapy.
• ipv6: This variable holds an IPv6 packet object created using the IPv6 class in
Scapy.
• ns: This variable holds an ICMPv6 Neighbor Solicitation (NS) packet object
created using the ICMPv6ND_NS class in Scapy.

Detailed Breakdown

Packet Construction

o pkt = ether / ipv6 / ns: Uses the / operator in Scapy to concatenate (/)
the Ethernet frame (ether), IPv6 packet (ipv6), and ICMPv6 Neighbor
Solicitation packet (ns) into a single network packet (pkt).
o Scapy uses method overloading with the / operator to build a layered
packet structure. Each layer (Ethernet, IPv6, ICMPv6) is stacked on
top of the previous layer to form a complete packet structure.

Purpose

The purpose of constructing this packet (pkt) is to prepare a complete network packet
that encapsulates an ICMPv6 Neighbor Solicitation request within an IPv6 packet,
which in turn is encapsulated within an Ethernet frame. This layered structure allows
the packet to be transmitted over an Ethernet network while adhering to IPv6
specifications for communication.

Figure 1.22
 19

Explanation

• srp: This is a function in Scapy that stands for "send and receive packets". It
sends a packet and waits for responses.
• pkt: This variable holds the network packet (constructed using Scapy) that is to
be sent over the network.
• timeout=5: Specifies a timeout of 5 seconds for waiting for responses.
• verbose=False: Suppresses verbose output during packet sending and receiving.
• [0]: Indexing [0] is used to access the first element of the returned tuple from srp,
which contains the list of answered packets.

Detailed Breakdown

Sending and Receiving Packets

answered_list = srp(pkt, timeout=5, verbose=False):

Sends the packet pkt over the network and waits for responses using Scapy's srp
function.

timeout=5: Specifies a timeout period of 5 seconds. If no response is received within this

time, answered_list may be empty.

verbose=False: Suppresses verbose output, which can reduce the amount of information
printed to the console during packet transmission and reception.

Accessing the Answered Packets

Indexing [0] is used to access the first element of the tuple returned by srp.

The tuple returned by srp typically contains two lists: the list of answered packets and
the list of unanswered packets.

answered_list will contain the list of packets that received a response.

Purpose

The purpose of this line is to send a prepared network packet (pkt) over the network
interface, wait for a response within a specified timeout (timeout=5 seconds), and
collect any responses received into the answered_list variable.

Figure 1.23
 20

Explanation

answered_list: This variable holds the list of answered packets returned by the srp
function in Scapy. for sent, received in answered_list:: This is a Python for loop that
iterates over each tuple (sent, received) in answered_list. sent: Represents the packet
that was sent (part of the tuple). received: Represents the packet that was received in
response to the sent packet (part of the tuple).

Detailed Breakdown
Iterating Through Answered Packets

for sent, received in answered_list:: Initiates a loop that iterates over each tuple (sent,
received) in the answered_list.
For each iteration:
sent will contain the original packet that was sent.
received will contain the packet that was received as a response to the sent packet. Tuple
Structure

Each tuple in answered_list typically contains two elements:

The first element (sent) is the original packet that was sent over the network.
The second element (received) is the packet that was received in response to the sent
packet.

Purpose
The purpose of iterating through answered_list in this manner is to process each pair
of sent and received packets, allowing further analysis or action based on the
responses received from the network.

Figure 1.24

Explanation received: This variable represents the packet that was received in
response to a sent packet.
.haslayer(ICMPv6ND_NA): This method in Scapy checks if the received packet
(received) contains a layer corresponding to ICMPv6 Neighbor Advertisement (NA).
Detailed Breakdown
Checking for Layer Presence

.haslayer(ICMPv6ND_NA): This method is used to determine if the packet (received)

contains a specific protocol layer (ICMPv6ND_NA).
In this context, ICMPv6ND_NA refers to the Neighbor Advertisement packet type in
ICMPv6, which is used in IPv6 networks for neighbor discovery and address
resolution.
Return Value
 21

If .haslayer(ICMPv6ND_NA) returns True, it indicates that the received packet contains

an ICMPv6 Neighbor Advertisement layer.
If .haslayer(ICMPv6ND_NA) returns False, it means that the received packet does not
contain an ICMPv6 Neighbor Advertisement layer.

Purpose
The purpose of using if received.haslayer(ICMPv6ND_NA): is typically to
conditionally process or extract information from the received packet (received) if it
contains an ICMPv6 Neighbor Advertisement layer. This allows for specific handling
of neighbor advertisement messages in IPv6 networking scenarios.

Figure 1.25
The line return received[Ether].src is used to extract and return the source MAC
address (src) from the Ethernet header (Ether) of the received packet (received).
Here’s a breakdown of what this line does:

Explanation received: This variable represents the received packet, typically

obtained from functions like srp in Scapy.
[Ether]: This indexing notation is used in Scapy to access a specific layer within the
packet. In this case, [Ether] refers to the Ethernet layer. src: This attribute retrieves the
source MAC address (src) from the Ethernet header of the packet.

Detailed Breakdown
Accessing the Ethernet Layer

received[Ether]: Retrieves the Ethernet layer (Ether) from the received packet
(received). This assumes that the received packet contains an Ethernet frame.
Retrieving the MAC Address

.src: Accesses the source MAC address (src) attribute within the Ethernet header (Ether)
of the packet.
The source MAC address (src) is a 6-byte (48-bit) unique identifier assigned to the
network interface card (NIC) of the device that sent the packet.

Purpose
The purpose of return received[Ether].src is to extract and return the source MAC
address of the device that sent the received packet. This is useful for tasks such as
network monitoring, device identification, and troubleshooting in network
environments

Figure 1.26
The function process_sniffed_packet(packet: Packet) would typically involve
analyzing the data within the captured network packet. Here's a step-by-step
explanation of what such a function might do:
 22

Packet Decoding: Extract and decode the data contained in the packet. This might
involve interpreting headers and payloads of various protocols (e.g., Ethernet, IP,
TCP/UDP).

Protocol Analysis: Determine which protocols are involved and extract relevant
information. For instance, if the packet is an IP packet, extract the source and
destination IP addresses.
Payload Inspection: Analyze the packet's payload for specific data or patterns. This
could be looking for certain keywords, signatures of malicious activity, or protocol-
specific information.
Logging and Alerting: Log the details of the packet for future reference and possibly
alert administrators if suspicious or malicious activity is detected.
Response Actions: Depending on the packet's content, take appropriate actions such
as blocking an IP address, resetting a connection, or triggering additional security
measures.

34: if packet.haslayer(ARP) and packet[ARP].op == 2:

The condition if packet.haslayer(ARP) and packet[ARP].op == 2: in a Python script
using Scapy checks whether a network packet is an ARP reply. Here's a detailed
explanation:

packet.haslayer(ARP): This checks if the packet has an ARP (Address Resolution

Protocol) layer. ARP is used for mapping IP addresses to MAC addresses within a
local network. packet[ARP].op == 2: Within the ARP layer, op refers to the operation
type. In ARP, the operation type can be either:
1: ARP request 2:
ARP reply
This condition specifically checks if the ARP operation type is 2, indicating that the
packet is an ARP reply.
In summary, the condition if packet.haslayer(ARP) and packet[ARP].op == 2: is used
to identify ARP reply packets. ARP replies are sent in response to ARP requests and
contain the MAC address corresponding to a given IP address.
code35:response_mac = packet[ARP].hwsrc
The line response_mac = packet[ARP].hwsrc is used in a Python script utilizing Scapy
to extract the hardware (MAC) address from an ARP packet. Here's a detailed
breakdown:

packet[ARP]: Accesses the ARP layer of the packet. This is possible only if the packet
contains an ARP layer.
hwsrc: A field in the ARP layer that holds the sender's MAC address. The sender's MAC
address is the address of the device that sent the ARP packet.
So, response_mac = packet[ARP].hwsrc assigns the sender's MAC address from the
ARP packet to the variable response_mac. This can be used in various network
analysis and security scenarios, such as:

ARP Spoofing Detection: By comparing the response_mac to the expected MAC

address for the given IP address, one can detect if an attacker is sending fake ARP
responses to mislead other devices on the network.
 23

Here is an example of how this might be used in a script to detect ARP spoofing:

Figure 1.27
The line `original_mac = get_mac(target_ip)` is likely part of a script designed to
fetch the MAC address associated with a specific IP address. This line calls a function
named `get_mac`, passing `target_ip` as an argument, and assigns the returned MAC
address to the variable `original_mac`.

In the context of ARP spoofing, obtaining the MAC address of a target IP is a crucial
step. Here's a basic example of what the get_mac function might look like in Python
using the Scapy library:

Figure 1.28

The condition `if original_mac and original_mac != response_mac:` checks two things:

1. Existence of `original_mac`: The condition `if original_mac` ensures that

`original_mac` is not `None` or an empty string. This means that the script has
successfully retrieved a MAC address for the original target IP.
2. Mismatch with `response_mac`: The condition `original_mac !=
response_mac` checks if the MAC address retrieved (`response_mac`) is different
from the originally recorded MAC address (`original_mac`).
This check is useful in scenarios such as ARP spoofing detection. Here’s what the
code does: original_mac: The legitimate MAC address for a given IP address when
the script starts.
response_mac: The MAC address currently associated with the same IP address at a
later time.
If original_mac and response_mac do not match, it indicates a possible ARP spoofing
attack, where an attacker has sent malicious ARP messages to associate their MAC
address with the IP address of the target device. This discrepancy triggers an alert or
further action to mitigate the spoofing attack.

Figure 1.29

The line `elif packet.haslayer(ICMPv6ND_NA):` is used in a ‘network packet

processing script to check if the current packet contains an ICMPv6 Neighbor
Advertisement (NA) layer. This is typically part of a series of conditional checks in a
packet handler function.

Here's an explanation of the components:

 24

elif: Stands for "else if". It is used to specify a new condition to check if the previous
conditions were false.
packet.haslayer(ICMPv6ND_NA): This calls the haslayer method on the packet object
to determine if it contains the ICMPv6ND_NA layer.
ICMPv6 Neighbor Advertisement messages are used in IPv6 for the Neighbor
Discovery Protocol (NDP). These messages are critical for functions such as address
resolution and neighbor unreachability detection.

In a broader script, this check might be part of a function that processes different types
of network packets, taking specific actions depending on the packet type. For
example:

Figure 1.30
The provided code is part of a network packet analysis script that detects potential IPv6
Neighbor Advertisement (NA) spoofing attacks. Here’s a breakdown of each line:
target_ip = packet[IPv6].src:

This line extracts the source IP address from the IPv6 layer of the packet and assigns it
to the variable target_ip. It indicates the IP address of the device that sent the packet.
response_mac = packet[Ether].src:

This line extracts the source MAC address from the Ethernet layer of the packet and
assigns it to the variable response_mac. It represents the MAC address of the device
that sent the packet. original_mac = get_mac(target_ip):

This line calls the function get_mac with target_ip as the argument to retrieve the
original MAC address associated with the target_ip from the local network. This is the
MAC address that should correspond to the given IP address.
if original_mac and original_mac != response_mac::

This condition checks two things:

Whether original_mac is not None or an empty value.
Whether original_mac is different from response_mac.
If both conditions are true, it means the MAC address currently claiming to be
associated with target_ip is different from the known original MAC address,
indicating a potential spoofing attack.
print("[*] ALERT!! You are under attack, the IPv6 Neighbor table is being
poisoned!"):

If the condition above is true, this line prints an alert message indicating that the IPv6
Neighbor table is potentially being poisoned, which is a type of attack where an
attacker sends fake Neighbor Advertisement packets to redirect traffic.
 42

This script snippet is designed to detect when an IPv6 address has been associated
with a different MAC address than expected, which is a common indication of a Man-
in-the-Middle (MITM) attack where the attacker tries to intercept or redirect network
traffic by poisoning the Neighbor table.

Figure 1.31

The provided code snippet uses Scapy, a powerful Python library used for
network packet manipulation, to sniff packets on a specified network interface.
Here’s a detailed explanation:
Function Definition:

Calling the Function: pythonExample of

process_sniffed_packet
For this code to work, you need to have a function process_sniffed_packet
defined. Here’s an example:

Example Output
If a packet is captured, the process_sniffed_packet function will print its summary to
the console.

FULL CODE OF ARP SPOOFING DETECTOR

Figure 2.1
 43

Figure 2.2

4.2 Results:

VICTIMS MACHINE

Step1 : VIM command for make a file

Figure 3.1

Step2: Now we need to add the command in the file

 44

Figure 3.2

Step3: Now we need to change the file permission

Figure 3.3
Step4:we need to run the application

Figure 3.4

ATTACKER MACHINE

Step1: we need to run athe arp spoofer and need to provide victims machine IP

Figure 3.5
 45

Step2:we need to provide the gateway aswell

Figure 3.6
Step3: we can see the attacker trying to steal the victims machine IP

Figure 3.7

VICTIMS MACHINE

Figure 3.8
 29

Here we can see that our Arp spoofing Detector working Properly

4.2 Analysis

An ARP spoofing detector can be analyzed based on various aspects such as detection
techniques, tools used, and the overall effectiveness. Here are the key points to
consider:

Detection Techniques:
Static ARP Entries: This method involves setting static ARP entries to prevent
changes. However, it is not suitable for large or dynamic networks due to maintenance
complexity .

Traffic Analysis: Analyzing network traffic for anomalies or irregularities can be

effective. Tools like Wireshark can help in detecting unusual ARP traffic .
Signature-Based Detection: This involves creating a database of known ARP spoofing
signatures and comparing network packets against it.
Anomaly-Based Detection: This method uses machine learning or statistical analysis to
identify deviations from normal traffic patterns .

Tools and Methods

Wireshark: Widely used for packet analysis, capable of identifying suspicious ARP
packets .
Scapy: A Python library that can be used to script ARP spoofing detection by analyzing
packet layers .
OpenWrt: An open-source firmware for routers that can be equipped with ARP spoofing
detection capabilities .
Effectiveness:

The effectiveness of ARP spoofing detection systems largely depends on the network
size, complexity, and the chosen detection method.
Real-time detection and alert systems are crucial for immediate response to ARP
spoofing attacks .

In summary, effective ARP spoofing detection involves a combination of static entries,

traffic analysis, and advanced detection tools. The choice of tools and methods should
align with the network’s characteristics and security requirements.

4.3 Discussion

ARP (Address Resolution Protocol) spoofing is a technique used by attackers to

intercept communication between network devices. Detecting and preventing ARP
spoofing is critical for maintaining network security. Here is a discussion on various
aspects of ARP spoofing detectors:
 30

Static ARP Entries: Setting static ARP entries can prevent unauthorized changes to the
ARP table. However, this method is impractical for large, dynamic networks .
Traffic Analysis: Tools like Wireshark and Scapy can analyze network traffic for
suspicious ARP packets. For example, Scapy can script detection methods to identify
and alert on ARP spoofing attempts .
Signature-Based Detection: This involves maintaining a database of known ARP
spoofing signatures and comparing incoming ARP requests to this database.
Anomaly-Based Detection: This technique uses machine learning or statistical
analysis to identify deviations from normal network behavior, indicating potential
ARP spoofing .

Prevention Methods:
Encryption: Encrypting data packets can mitigate the risk of interception by ARP
spoofing attackers.
Packet Filtering: Implementing packet filtering rules to block suspicious ARP traffic can
enhance security .
Dynamic ARP Inspection (DAI): This technique verifies ARP requests and responses to
ensure they conform to the valid address mappings in the DHCP database.

Tools for ARP Spoofing Detection:

Wireshark: A popular packet analyzer that can detect unusual ARP traffic.
Scapy: A Python library used for network packet manipulation, useful for custom ARP
spoofing detection scripts .
SNORT: An open-source network intrusion detection system that can detect ARP
spoofing by analyzing network traffic patterns . Effectiveness and Challenges:

The effectiveness of ARP spoofing detectors depends on the network size and
complexity.
Real-time detection and alert systems are crucial for immediate response to potential
threats.
Ongoing research and development are needed to address evolving spoofing techniques
and improve detection accuracy .

In conclusion, a multi-faceted approach combining static entries, traffic analysis,

advanced detection tools, and preventive measures can enhance ARP spoofing
detection and prevention.

5. Conclusion, Future Scope, Limitations

5.1 Conclusion

The ARP spoofing detector project aims to address the critical need for securing
network communications from ARP spoofing attacks. Here are the key conclusions
drawn from the project:

Effectiveness of Detection Techniques:

 31

Traffic Analysis: Analyzing network traffic for anomalies using tools like Scapy has
proven to be effective in identifying spoofed ARP packets .

Machine Learning: Implementing machine learning models on ARP spoofing

datasets enhances detection accuracy and adaptability in dynamic network
environments .
Implementation of Tools:

Wireshark and Scapy: These tools are essential for packet analysis and creating
custom detection scripts. They offer robust solutions for monitoring and identifying
suspicious ARP traffic [.
Defense Mechanisms: The project proposes implementing defense mechanisms such
as static ARP entries and Dynamic ARP Inspection (DAI) to prevent spoofing attempts
Challenges and Future Work:

Scalability: Ensuring that the ARP spoofing detection system scales efficiently with
network size and complexity remains a challenge.
Real-Time Detection: Real-time detection and immediate response are crucial for
mitigating the impact of ARP spoofing attacks.
Ongoing Research: Continuous research is necessary to adapt to evolving attack
techniques and improve detection algorithms .
In conclusion, the ARP spoofing detector project demonstrates a comprehensive
approach to detecting and preventing ARP spoofing attacks. By leveraging advanced
traffic analysis, machine learning, and robust defense mechanisms, the project
provides a solid foundation for enhancing network security.

5.2 Future Scope

Future enhancements to ARP spoofing detectors could focus on the following areas:

Deep Learning Integration: Implementing advanced deep learning models can

improve the accuracy and efficiency of detecting ARP spoofing attempts by analyzing
traffic patterns and identifying anomalies more effectively .

Real-time Detection and Response: Enhancing the system to provide real-time

detection and automated response mechanisms can reduce the time lag between
detecting an attack and mitigating its effects, thereby minimizing potential damage .

Scalability: Improving the scalability of ARP spoofing detectors to handle larger and
more complex network environments will ensure they remain effective in diverse
deployment scenarios .

Enhanced User Interface: Developing more intuitive and comprehensive dashboards

can help network administrators monitor and manage ARP spoofing threats more
efficiently .

Cross-Protocol Detection: Extending detection capabilities beyond ARP to include

other protocols vulnerable to spoofing, such as IPv6, can provide broader network
security coverage .
 32

Integration with Existing Security Tools: Seamless integration with other network
security tools, such as firewalls and intrusion detection systems (IDS), can enhance
overall network protection by providing a multi-layered defense strategy .

5.3 Limitations

ARP spoofing detectors, while effective, have several limitations:

False Positives and Negatives: Detection systems may produce false positives,
flagging legitimate traffic as malicious, or false negatives, failing to identify actual
spoofing attempts .

Time Lag: Passive detection methods can suffer from delays between the occurrence
of spoofing and its detection, potentially allowing an attacker to exploit the network
during this window .

Resource Intensive: Continuous monitoring and analysis of ARP packets can be

resource-intensive, potentially impacting network performance .

Complex Network Environments: In complex or highly dynamic network

environments, maintaining an accurate and updated ARP table for comparison can be
challenging, reducing the effectiveness of detection mechanisms .

Bypassing Detection: Advanced attackers can use sophisticated techniques to evade

detection, such as timing their spoofing activities to avoid detection windows or
mimicking legitimate traffic patterns .

Limited Scope: ARP spoofing detectors typically only address threats within the local
area network (LAN), providing no protection against other types of network attacks
like denial of service (DoS) or session hijacking .

References

To develop a comprehensive ARP spoofing detector project, the following references

provide valuable insights into detection techniques, implementation methods, and the
effectiveness of various tools:

Detection and Prevention of ARP-Spoofing Attacks:

Discusses the vulnerabilities of ARP spoofing and outlines detection and

prevention mechanisms .

Detection of ARP Spoofing Attacks in Software Defined Networks:

Proposes an ARP spoofing detection module that monitors and analyzes ARP traffic for
inconsistencies .

An approach to efficient ARP spoofing attacks detection:

 33

Explores the use of Deep Neural Networks (DNN) to detect ARP spoofing by
identifying patterns in network traffic .

On investigating ARP spoofing security solutions:

Highlights the gaps in existing security solutions and suggests efficient detection
and prevention strategies for ARP spoofing .

ARP Poisoning Detection and Prevention using Scapy:

Details a Python script using the Scapy library to detect ARP spoofing attacks and
proposes a detection algorithm .

ARP Spoofing:

Provides an overview of ARP spoofing techniques, impacts, and general

countermeasures

Links

1. researchgate.net - Detection and Prevention of ARP-Spoofing Attacks

2. ieee.org - Detection of ARP Spoofing Attacks in Software Defined Networks
3. sciencedirect.com - An approach to efficient ARP spoofing attacks detection
4. researchgate.net - On investigating ARP spoofing security solutions
5. iopscience.iop.org - ARP Poisoning Detection and Prevention using Scapy 6.
wikipedia.org - ARP spoofing