We’re shipping real-time ARP spoofing detection.
The detector WifiThreatWatch was born around — and it watches the wire, not a cache the attacker has already rewritten.
We’re excited to announce the first detector in WifiThreatWatch: real-time ARP spoofing detection. It’s the attack we built the whole product around — the classic way an adversary on your network turns themselves into an invisible middleman — and it’s live now, on Windows, free.
A VPN hides what you send. It can’t tell you an attacker is standing between you and your router. That gap is exactly where we started.
The attack a VPN can’t see
ARP spoofing is the oldest trick on a local network, and still one of the most effective. Because ARP has no authentication, an attacker can announce that your router’s IP belongs to their hardware, and your device believes them. From that moment every packet detours through the attacker on its way out — a textbook man-in-the-middle.
The reason it deserved to be our first detector is that it’s the perfect illustration of the gap we exist to close. Encryption tools protect your data’s contents; none of them tell you the attacker is on your path in the first place. Detection is a different job.
Live capture, off the wire
Instead of periodically reading the ARP cache — a table the attacker can poison and hold — our detector runs a dedicated capture thread that sniffs ARP frames off the wire in real time via Npcap. It reasons about three signals:
- Gateway impersonation — your router’s IP announced with a MAC that differs from the trusted baseline. Raised as critical.
- Conflicting bindings — the same IP asserting two different MACs inside a short window.
- Unsolicited replies — broadcast and self-targeted gratuitous ARP, treated as corroborating evidence.
Before anything interrupts you, a two-signal verification step — an active gateway probe weighed against live sniffer activity — confirms the attack is genuinely happening, so a stale poisoned cache from an attack that already ended doesn’t set off a false alarm.
Why the wire beats the cache
This is the distinction that makes the detector worth having. A tool that reads the ARP cache every 30 seconds can be fooled indefinitely: once the poisoning settles, the cache just shows the attacker’s MAC as “the gateway,” stable and wrong. Reading the table can never witness the poisoning arrive. Sniffing the wire can.
Detection is free
Real-time ARP spoofing detection ships in the free version of WifiThreatWatch and always will. Knowing you’re under attack shouldn’t be the paywalled part. (Breaking the attacker’s hold — the Active Defense response and the encrypted tunnel — is the part a subscription covers.)
Read more: how ARP spoofing works · how to detect ARP spoofing yourself · the Active Defense response