/ GUIDE — NETWORK SECURITY

How do you detect a man-in-the-middle attack?

MITM isn’t one attack — it’s a goal reached three different ways. So you don’t look for “a MITM.” You look for the techniques that create one.

You don’t detect “a man-in-the-middle” in the abstract — you detect the technique that made one. ARP spoofing, an evil twin, or rogue DNS are all roads to the same place: the attacker on your path. So the practical answer is to watch the three things that give those techniques away — your gateway’s MAC, the hardware behind your network’s name, and your DNS resolver.

Someone is sitting in the middle of your connection, reading as it passes.
YOUINTERNETdirectADVERSARYreading as it passes
MAN IN THE MIDDLEthe same connection, re-routed so your traffic passes through the adversary
/ THE ROADS IN

Three ways to reach the middle

On a local network, the common routes to a man-in-the-middle position are ARP spoofing (impersonating your router at the hardware level), evil-twin access points (getting you onto attacker-controlled WiFi), and rogue DNS (redirecting your name lookups). The classic is ARP: every packet quietly detours through the attacker before it reaches your router.

path you think you haveYOUyour laptopROUTERthe gatewayATTACKERone MAC, claimed as both
ARP MITMevery packet detours through the attacker before reaching your router
/ WHY ENCRYPTION ISN’T ENOUGH

Encrypted contents, attacker still on the path

It’s tempting to think HTTPS or a VPN makes MITM a non-issue. They protect the contents of your traffic — genuinely valuable — but they don’t take the attacker off your path. A middleman still sees your metadata, timing, and destinations, can attempt downgrade attacks, and can interfere with connections.

YOUyour deviceATTACKERin the middleNETthe internetsees: path · metadata · timingcontents stay encrypted — but still routed through them
ENCRYPTED, STILL ROUTEDa VPN hides what you send — not the fact that an attacker is on your path

That’s the gap this whole category lives in: encryption is privacy, detection is security, and most people need both.

/ HOW TO DETECT IT

Spot the technique, not the abstraction

Rather than hunting for “a MITM,” check the concrete fingerprints. Compare your gateway’s MAC in arp -a to its real value; check the BSSID you’re on with netsh wlan show interfaces; read your resolver in ipconfig /all. A resolver that quietly changed is one of the clearest tells that something is redirecting you.

YOUR DEVICE
asks DNS
your-bank.com?
RESOLVER
1.1.1.1
→ 8.8.4.4
GOES TO
REAL BANK
trusted resolver — lookup resolves where it should
DNS REDIRECTthe same lookup, answered by whichever resolver sits in the middle

Continuous monitoring does all three at once — live ARP capture, mesh-aware BSSID/gateway/DNS checks — and runs a two-signal verification so a stale artifact doesn’t masquerade as a live attack.

/ STAYING PROTECTED

Remove the target, then encrypt

The durable answer isn’t only to encrypt around a middleman — it’s to remove what they’re targeting. Active Defense disconnects, randomizes your MAC and IP, reconnects with a clean identity, and only then brings up an encrypted tunnel. If the attacker re-establishes their position, it changes identity again, up to five times.

ATTACKER TARGETLOCKED
MACde:ad:be:ef
IP192.168.0.42
IDENTITY RESETa fresh MAC and IP break the attacker's lock before the tunnel comes up
/ THE TOOL

Catching it automatically

WifiThreatWatch detects the techniques that create a man-in-the-middle — ARP spoofing, evil twins, and DNS redirection — as they happen, verifies them, and can break the attacker’s targeting on one tap. Detection is free.

FREE FOREVERReal-time detection of the techniques behind MITM is free, for Windows.

Go deeper: the MITM threat page · detecting ARP spoofing · detecting evil twins

/ FAQ

Man-in-the-middle: quick answers

How do I know if I’m being man-in-the-middled?

Because MITM is a goal rather than one technique, you look for the techniques that create it: your gateway’s MAC address changing (ARP spoofing), a familiar network suddenly carried by unfamiliar hardware (an evil twin), or your DNS resolver changing (DNS redirection). Repeated certificate warnings, correctly-typed sites resolving to the wrong place, and unexplained slowdowns are corroborating signs. Any one can be innocent; together on a trusted network they point at a middleman.

What is a man-in-the-middle attack?

A man-in-the-middle (MITM) attack is any attack where an adversary positions themselves between you and whatever you’re trying to reach, so your traffic passes through them. From there they can read it, log it, or alter it. It isn’t a single technique — ARP spoofing, evil-twin access points, and rogue DNS are all different roads to the same destination.

Does HTTPS or a VPN stop a man-in-the-middle attack?

They limit it but don’t remove it. HTTPS and a VPN encrypt the contents of your traffic, so a middleman can’t easily read it — but the attacker still controls your path. They can see metadata and destinations, attempt downgrade attacks, and interfere with connections. Encryption protects your data; it doesn’t detect the attacker or take them off the path.

How do I detect a MITM attack on Windows?

Detect the concrete techniques. Compare your gateway’s MAC in “arp -a” against its real value, check the BSSID you’re associated with in “netsh wlan show interfaces” against your real router, and read your DNS resolver in “ipconfig /all.” Continuous monitoring does all three live — capturing ARP frames off the wire, checking BSSID/gateway/DNS, and flagging resolver changes — and verifies the attack is real before alarming.

You can’t fight a middleman you can’t see.
Detection is free.