From charlesreid1

Arpspoof is part of the Dsniff suite of tools. It's used for ARP poisoning attacks (see Man in the Middle/Wired and Man in the Middle/Wired/ARP Poisoning).

ARP Poisoning with Arpspoof

Here's a quick blow-by-blow for setting up ARP poisoning with arpspoof.

Forward Packets, Don't Drop Them

By default, packets sent to a computer that aren't meant for that computer are dropped. However, since we're running a man-in-the-middle, most of our traffic will be someone else's. So tell Linux to forward packets that aren't for us:

echo 1 > /proc/sys/net/ipv4/ip_forward

At any point you can confirm that packets are being forwarded by running:

$ cat /proc/sys/net/ipv4/ip_forward


You'll need a terminal window for each target you're spoofing. For a simple man-in-the-middle, that's two terminal windows: one for the gateway and one for the sheep.

Spoof the Gateway


$ arpspoof -i <network device> -t <target ip> <source ip>

Open the first terminal window. Assuming your network interface is eth0, your gateway is at, and your sheep is at

$ arpspoof -i eth0 -t

Spoof the Sheep

Open the second terminal window and spoof the sheep. This assumes the gateway is at and the sheep is at

$ arpspoof -i <network device> -t <sheep ip>

$ arpspoof -i eth0 -t

Sit Back And Watch The Show

You're now performing a Man in the Middle on eth0, so you can open a Wireshark instance and sniff traffic on that device.

Wireshark Dump

Let's take a look through some of the Wireshark dump to see what we can see.

First, we can see lots of DNS queries, giving away what websites are being visited (not to mention all the ad tracking traffic to different media companies). All of this is regardless of whether the Sheep is using HTTPS!


If we keep looking, eventually we'll find HTTP traffic. Here's the original request for "" with a cookie attached (indicating the Sheep has been to before):


(Note: all of the packets colored black are duplicate packets being sent out by the attacker conducing the MITM attack; see below for more info on that.)

Here's a look at all the barnacles attached to the Sheep's web traffic, in the form of adware, cookies, and other trackers, all doing DNS queries to make sure your private information makes it back to the mothership:



Duplicate IP Warning

When you see the Wireshark dump, you'll see your old friend, the Duplicate IP Warning packet, giving you away to anyone sniffing traffic on the network:


Duplicate Packets

Note that if you set packet forwarding ON, your computer will essentially be duplicating all traffic to a particular target, which is yet another dead giveaway that there's an ARP poison attack going on on the network (even visually, as every time the Sheep initiates any traffic there will be a big patch of black packets).



However, if you turn packet forwarding OFF, your Sheep will not receive any traffic destined for it, and the Sheep's network will not work.

This can only be overcome by creating a physical bridge between two devices - a Network Tap. See Man in the Middle/Wired/Network Tap

Other Drawbacks

You should note that this is subject to the same drawbacks mentioned on Man in the Middle/Wired/ARP Poisoning with Ettercap - that is, that the Sheep will start seeing funny certificate behavior, the network admin will start seeing duplicate IP addresses and false certificate packets, and in general you will generate lots of suspicious traffic.

Temporary Interruption

In addition, the frequency of ARP packets from arpspoof is 1 Hz - one packet every second - and if another computer connects to the gateway and asks for other devices' MAC addresses, the gateway will send out a query for every IP address asking "Who is" - and your target Sheep will hear that and respond. This will cause an interruption in your man-in-the-middle until the next ARP packet is sent out.