I once watched a pentester take over a colleague's browsing session in under thirty seconds, on a network we'd all been sitting on for hours. No malware, no exploit, no password guessing. One laptop simply lied about who it was, and every other device on the segment believed it without checking.

That's the whole trick behind ARP spoofing. It isn't clever code — it's a forty-year-old protocol that was never taught to ask for proof, and most of us are still running networks built on that same blind trust.

A Quick Refresher on ARP

Every device on a network goes by two names at once: an IP address, which can change depending on where you connect, and a MAC address, burned into the network card and meant to stay fixed for the life of the hardware. Software thinks in IP addresses. The wire, on the other hand, only understands MAC addresses — so something has to translate between the two, over and over, dozens of times a minute on a busy network.

That translator is ARP — Address Resolution Protocol. Your laptop asks the whole room, out loud, "who has this IP?" and whoever owns it shouts back a MAC address. The reply gets stored in a local lookup table called the ARP cache, so the same question doesn't need re-asking every time. Fast, simple, and — critically — nobody checks ID at that step.

Normal ARP exchange between devices
Figure 1 — a routine ARP exchange. Device A broadcasts the request, Device B answers, and the pairing gets cached on trust alone.

ARP shipped in 1982, defined in RFC 826, for networks where everyone plugged into the same wire was assumed to belong there. That assumption made sense in a university computer lab. It makes considerably less sense on a shared office network, a hotel Wi-Fi, or a coworking space full of strangers' laptops — which is exactly where this stops being a design quirk and starts being a security problem.

Where the Spoofing Comes In

An attacker sitting on the same Wi-Fi or switch doesn't need to guess anything — they just answer questions nobody asked. Using a tool like Ettercap, Bettercap, or a bare-bones arpspoof script, they fire off a forged ARP reply to your machine claiming to be the router, and a second one to the router claiming to be you. Neither side questions it, because ARP has no concept of a wrong answer — only a most recent one.

Both caches quietly overwrite the correct entry with the attacker's MAC address. From that moment on, everything you send toward "the router" actually stops at the attacker's machine first — who, if they're being careful, forwards it along afterward so nothing looks broken on your end. This kind of interception is what security folks call a man-in-the-middle, and ARP spoofing is one of the oldest ways to set one up on a local network.

ARP spoofing man-in-the-middle attack diagram
Figure 2 — two forged replies are all it takes. Both A and the router now send their traffic to the attacker without realizing it.

What's Actually at Stake

Once an attacker is sitting in that middle position, the damage isn't hypothetical. A few things become possible almost immediately:

  • Credential capture — any login sent over plain HTTP, FTP, or Telnet is readable in plaintext as it passes through.
  • Session hijacking — stolen cookies let an attacker step into an already-logged-in account without ever seeing a password.
  • Traffic tampering — unencrypted pages can be modified in transit, including injecting extra code before it reaches your browser.
  • Denial of service — the attacker can just drop the traffic instead of forwarding it, quietly knocking a device off the network.

None of this needs elevated privileges or a zero-day. It runs on a laptop, a Raspberry Pi, or a phone with the right app — which is part of why it keeps showing up in security conference demos two decades after it was first documented.

Where You'll Actually See This

Coffee shop demos. It's a go-to at security meetups because it's fast and visual — someone opens a laptop, points a tool at the room's Wi-Fi, and within a minute is watching login pages scroll past from other people's devices.

Internal penetration tests. Once a tester gets any foothold inside a corporate network — a compromised laptop, a rogue device on an unguarded port — ARP spoofing is usually one of the first moves to demonstrate how far that single foothold can reach.

Smart home devices. A surprising number of consumer IoT gadgets still talk over unencrypted local protocols, which makes even a "trusted" home Wi-Fi a soft target if someone unwelcome gets onto it.

Spotting It in a Packet Capture

This is where Wireshark earns its keep. The tell is almost always the same: an IP address that suddenly starts answering from a MAC address it's never used before. Below is a simplified capture — notice the router's IP shows up twice, seconds apart, with two completely different MAC addresses.

Wireshark capture showing duplicate MAC addresses for same IP
Figure 3 — a simplified capture view. Two different MAC addresses claiming the same IP within seconds is the single clearest sign of ARP poisoning in progress.

Catching It Before It Costs You

Something looks off if... Try this
An IP starts answering from a MAC it's never used before Run arpwatch, or filter for duplicate addresses in Wireshark
ARP replies show up without a matching request Turn on Dynamic ARP Inspection on managed switches
You're on coffee-shop or airport Wi-Fi Assume nothing is private — use a VPN, stick to HTTPS
You manage the network yourself Segment the network and pin static ARP entries for critical devices

Why It's Worth Knowing

There's no patch coming for ARP itself — the protocol works exactly as designed, and the design just predates the threat model we live in now. The fix has to happen at the switch and at the analyst's desk: segmented networks, inspection rules, encrypted traffic end to end, and someone who can look at a packet capture and immediately spot two MAC addresses fighting over the same IP.

It's one of the first patterns worth memorizing if you're getting into network forensics, mostly because once you've actually seen it happen, you'll start noticing the shape of it everywhere — in CTF traffic dumps, in pentest reports, and occasionally on networks you didn't expect to be watching closely enough to catch it.

Got a network you'd like a second set of eyes on? Our security team is happy to talk it through.