Sniff traffic from LAN using ARP

What is ARP

ARP stands for Adress Resolution Protocol. It is the protocol that associates MAC addresses with IP addresses. It is a low-level protocol (Layer 2) that is still very vulnerable to spoofing, even though it is quite old (being defined defined by RFC 826 in 1982). ARP spoofing is a favourite to use in MITM (man-in-the-middle) attacks and it is simple to implement (using automated tools). Plus, it’s a great way to have fun when you are using the same LAN as others (like in dorms, classes etc).


The victim PC is on the LAN and it’s pinging This means that it’s sending ICMP requests and DNS lookups to the gateway. My PC is responding to ARP-requests telling the victim PC that my PC is the gateway. All the traffic passes through my PC and then to the gateway, the victim PC not knowing that his traffic is being sniffed.

Impersonating the gateway – sniffing the victims PCs traffic

ARP-response packets can be crafted manually. For more info on that check Scapy. I did it the lazy way, by using a program ( dsniff ) that automates everything i want. First, i’ve installed it:

apt-get install dsniff

Dsniff has a lot of cool tools, but for this exercise i used arpspoof.

dsniff screenshot

arpspoof -i eth0 -t

  • -i -> stands for interface, here you specify the interface that you want everything to happen
  • -t -> stands for target, here you specify the victims pc IP address (
  • – is the gateways IP address, which you are impersonating

Forward traffic

We are getting the traffic from the victims PC, but the victim isn’t getting any response. The user will most likely think that his internet connection went down. To avoid this, we have to enable IP forwarding in our Linux machine. Usually this is disabled by default in most Linux distros ( the file “/proc/sys/net/ipv4/ip_forward” will have “0” in it, which means false). To enable it we simply have to change IP forwarding from false to true, in other words putting a 1 instead of 0.

echo 1 > /proc/sys/net/ipv4/ip_forward

Checking if we are sniffing traffic

Theoretically we know that we are sniffing traffic but how do we actually see it? We fire up Wireshark and filter by the victims IP address.

wireshark-ping-interceptAs you can see in the picture above, we are getting ICMP and DNS traffic, like i mentioned in the scenario.