I'm sure you've already heard about ARP Poisoning or ARP Spoofing. But do you know what it is? Let's start by seeing together what APR means


The Address Resolution Protocol (ARP) is a communication protocol used for discovering the link-layer address, such as a MAC address, associated with a given Internet layer address, typically an IPv4 address. Every network device that needs to communicate on the network broadcast ARP queries in the network to find out other machines MAC addresses.

When one machine needs to communicate with another, it looks up its ARP table. If the MAC address doesn't exist in the table, the ARP_request is broadcasted over the network. Every machine connected will compare this IP address to MAC address. If one of the machines present in the network identifies this address, then it will respond to the ARP_request with its IP and the associated MAC address. The requesting computer will store the address key and value in its ARP table and the communication can take place.


In IT networking, ARP Poisoning, also known as ARP Spoofing or ARP Poison Routing, is a technique by which an attacker sends spoofed Address Resolution Protocol (ARP) messages onto a local area network. ARP spoofing may allow an attacker to intercept data frames on a network, modify the traffic, or stop all traffic. Often the attack is used as an opening for other attacks, such as a denial of service, a man in the middle, or session hijacking attacks.

The purpose of ARP Poisoning is to exploit the lack of authentication in the ARP protocol by sending spoofed ARP messages onto the network. Furthermore, ARP Poisoning attacks can be run very easily from a compromised machine connected to the network or directly from the attacker's machine if this one has been able to connect himself directly to the targeted network.

ARP packets can be forged to send data to the attacker’s machine.

  • ARP spoofing constructs a large number of forged ARP request and reply packets to overload the switch.
  • The switch is set in forwarding mode and after the ARP table is flooded with spoofed ARP responses, the attackers can sniff all network packets.
  • Attackers flood a target computer ARP cache with forged entries, which is also known as poisoning.
  • ARP poisoning uses Man-in-the-Middle access to poison the network.


A man-in-the-middle attack (MITM) is an attack where the attacker secretly relays and possibly alters the communications between two parties who believe they are directly communicating with each other. In this case, the victims think that they are communicating with each other, but in reality, the attacker is controlling the communication. A MITM attack can succeed only when the attacker impersonates each endpoint sufficiently well to satisfy their expectations.



Before to move further and to perform this simulation of ARP Poisoning attack you will need the following tools:

  • Kali Linux / Parrot / BlackArch or any other Linux OS
  • Ettercap Tool

Let's move on to practice if you still have trouble to understand the principle, putting an ARP Poisoning attack into practice will help you better understand how it works and its possibilities.


First of all, you will need to find out what it the IP address of your machine onto the network. The easy way to find it out it's to open your terminal and use the below commands.


Or alternatively

ip a



As you can see highlighted in the above screenshot, presently my machine is registered onto the network with the IP address


If Ettercap is not yet installed on your system, you can install it right away using the below commands. Ettercap is available in several versions and formats. Recent source releases and binary packages are described in the download page page of the software.

Debian Based

sudo apt install ettercap

Arch Based

sudo pacman -S ettercap

In case if you get any error while installing the package, try the command below and repeat the previous commands.

sudo pacman -Rs ettercap

Centos Based

yum install ettercap

OpenSUSE Based

zypper install ettercap

Fedora Based

sudo dnf install ettercap


Now that Ettercap is already installed in your machine, we will tweak a little bit of the configuration file of Ettercap to optimize the results provided by the tool.

sudo nano /etc/ettercap/etter.conf

The ec_uid and ec_gid lines must be set to 0 in order for the program service to work on behalf of the superuser:

ec_uid = 0 # nobody is the default
ec_gid = 0 # nobody is the default



Next you need to find and uncomment these two lines:

redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"



They are used to redirect SSL connections to regular HTTP, if possible. Then save the changes and the program is ready to work.


The program can work in several modes - with a graphical interface, without and as a service. We will consider work in the graphical interface. To run a program with a GTK interface, use the -G option:

sudo -E ettercap -G


We use the -E option for sudo to save all of our user's environment variables.

ARP poisoning Attack using Ettercap

This attack anatomy allows us to force the target computer to send packets to us instead to send it to the router.

Let us get to the point and execute the Ettercap ARP Poisoning Attack In Ettercap, click on Sniff > Unified Sniffing and in the new popup select your network interface referenced in the below screenshot by wlp2s0.


It's now the time to scan the network and list the devices currently connected. To do it, simply click hosts > scan for hosts. It will start scanning the whole network for the alive hosts. Once the scan is done, click again the hosts > hosts list to see the list of the hosts available in the network.

Important: This list also includes the default gateway address so we have to be careful when we select the targets.


We will select the targets from our list of hosts. In a MITM attack, the attacker intercepts the network and sniffs the packets. In our man-in-the-middle scenario, our target machine is and our router is In Ettercap, just click to target 1 and select add to target 1. Repeat the same with target 2 and select add to target 2.


Believe me or not, we can say you done the most difficult part already !! Let start the funny part, click Mitm > ARP poisoning and click OK. Thereafter, check the option Sniff remote connections and click OK.


Click start > start sniffing. This will start ARP poisoning in the network which means we have enabled our network card in promiscuous mode and now the local traffic can be sniffed.

Note: We have allowed only HTTP sniffing with Ettercap, so don’t expect HTTPS packets to be sniffed with this process. From this simple example, if our victim logged into some websites we will get the output into our Ettercap console.

The program is now sending packets to the network, with a request for to update the ARP cache and replace the MAC address of the router with yours. The attack is started and successfully executed. You can open the View -> Connections menu and see the active connections for the target device.


If a packet is sent through the network without encryption method, then we can view the transmitted information by clicking on the connection row. The information sent is displayed on the left side, and the information received is displayed on the right.



Any sensitive information, such as the data passed through a login form, a registration form, a contact form, etc ... as long they are not encrypted, can be parsed by the attacker examining the content of every rows and them values.