/ GUIDE — NETWORK SECURITY

How do you detect ARP spoofing?

The signs of an ARP poisoning attack, the Windows commands that surface it, and why the attack is built to stay invisible while it happens.

ARP spoofing is detectable — but not by looking at your screen. The attack is designed to be invisible while it runs: your pages still load and your apps still work. You catch it by watching for one contradiction — your router’s IP address answering from a different hardware (MAC) address than it did before, or two devices claiming the same IP. On Windows you can surface the first clues with arp -a; catching it reliably means watching ARP replies as they arrive, not reading a table after the attacker has already rewritten it.

You don’t see an ARP spoofing attack. You see the one number that shouldn’t have changed.
path you think you haveYOUyour laptopROUTERthe gatewayATTACKERone MAC, claimed as both
ARP MITMevery packet detours through the attacker before reaching your router
/ THE BASICS

What ARP spoofing actually is

Every device on a local network uses ARP — the Address Resolution Protocol — to map an IP address to the MAC (hardware) address that owns it. ARP has no authentication: a device simply believes whatever ARP replies it receives. An attacker abuses that trust by announcing “the router’s IP is at my MAC,” so your traffic flows through their machine on the way out.

That’s the whole trick, and it’s why it’s hard to notice: nothing on your screen changes. For the full mechanism, see how ARP spoofing works and the broader man-in-the-middle family. This guide is about the other side of the problem: how you see it.

/ THE SIGNS

What an ARP spoofing attack looks like

The attack leaves a handful of fingerprints in your device’s view of the network:

  • Your gateway’s MAC address changed. The router’s IP that used to resolve to one MAC now resolves to another. This is the single strongest signal.
  • One MAC, many IPs. A single hardware address appears next to several IP addresses in your ARP table — one machine claiming to be many devices, including the router.
  • Conflicting bindings. The same IP asserts two different MAC addresses within a short window — the moment the poisoning overwrites the real mapping.
  • A stream of unsolicited ARP replies. Broadcast or self-targeted “gratuitous” ARP announcements arriving when nothing asked for them, repeated often enough to keep the lie fresh.
  • Occasional connectivity hiccups. Not always present, but poisoning and re-poisoning can cause brief stalls — easy to blame on “bad WiFi.”
/ DETECTION

How to check for ARP spoofing on Windows

From quick snapshot to always-on, three practical approaches:

  1. Read the ARP table. Run ipconfig to find your Default Gateway, then arp -a to list IP-to-MAC mappings. Note the gateway’s MAC and compare it to the address printed on the router (or what it showed yesterday). Watch for one MAC sitting next to multiple IPs. It’s a snapshot — useful, but blind to a poisoning that’s already settled.
  2. Watch ARP traffic live. A packet capture tool like Wireshark, filtered to arp, shows replies as they arrive — including duplicate-address and gratuitous replies Wireshark itself flags. This is where you actually witness the poisoning happen instead of inferring it after the fact.
  3. Monitor continuously. Purpose-built monitoring captures ARP frames off the wire in real time, holds a trusted baseline for the gateway MAC, and alerts the instant an IP is claimed by a MAC that doesn’t match — the difference the diagram below makes plain.
READ THE CACHE — EVERY 30s
gateway → 3c:22:fb
PASS
A held poisoned cache reads clean forever.
SNIFF THE WIRE — LIVE
·
192.168.0.9 is-at 9a:04:e1
192.168.0.1 is-at 3c:22:fb
≠ baseline · CAUGHT
·
192.168.0.7 is-at 1f:88:0d
·
192.168.0.1 is-at e8:d1:1b
·
192.168.0.9 is-at 9a:04:e1
192.168.0.1 is-at 3c:22:fb
≠ baseline · CAUGHT
·
192.168.0.7 is-at 1f:88:0d
·
192.168.0.1 is-at e8:d1:1b
CACHE vs WIREreading the table can't witness the poisoning happen; sniffing the wire can
/ WHY IT’S HARD

Why reading the cache isn’t enough

The naive check pings the gateway and reads a single MAC from the ARP cache every so often. But an attacker who poisons the cache and holds it passes that check forever — the cache simply shows the attacker’s MAC as “the gateway,” stable and wrong. Reading a table can never witness the poisoning arrive; only watching the wire can.

That’s also why encryption alone isn’t detection. A VPN or HTTPS protects what you send, but the attacker still sits on your path, seeing metadata and destinations and able to interfere. Knowing the attack is happening is a separate problem from hiding your data from it.

/ THE TOOL

Catching it automatically

WifiThreatWatch does the live-capture approach continuously: a dedicated thread sniffs ARP frames off the wire, reasons about gateway impersonation, conflicting bindings, and unsolicited replies, and raises a verified alert the moment your router’s identity is spoofed — no commands to run, no table to read. Detection is free.

FREE FOREVERReal-time ARP spoofing detection is free, for Windows.

Go deeper: how we detect ARP spoofing · man-in-the-middle attacks · the threats library

/ FAQ

ARP spoofing: quick answers

How do I know if I’m being ARP spoofed?

The clearest sign is your gateway (router) IP address suddenly resolving to a different MAC address than it normally does, or the same MAC address appearing next to two different IPs in your ARP table. You can check a snapshot with “arp -a” on Windows, but because a spoofer holds the poisoned entry in place, a single snapshot can look perfectly normal — the reliable tell is watching ARP replies as they arrive on the wire.

Can ARP spoofing be detected?

Yes. ARP spoofing produces a specific signature: an IP address being claimed by a MAC that differs from the trusted baseline, conflicting IP-to-MAC bindings within a short window, and a stream of unsolicited (gratuitous) ARP replies. A tool that captures ARP frames live can see all three as they happen. A tool that only reads the ARP cache periodically often cannot, because a held poisoning reads as a stable — but wrong — entry.

Does a VPN stop ARP spoofing?

No. A VPN encrypts the contents of your traffic, which limits what an attacker can read, but ARP spoofing happens one layer below the VPN — it decides which physical machine your packets flow through. The attacker still controls your path, can see metadata and connection destinations, and can attempt to interfere with or downgrade connections. Encryption is a mitigation; it is not detection, and it does not remove the attacker from the path.

What does “arp -a” show?

“arp -a” prints your device’s current ARP table: a list of IP addresses on your local network and the MAC (hardware) addresses your device believes they belong to, along with whether each entry is dynamic or static. It’s useful for spotting a gateway MAC that has changed or a single MAC claiming multiple IPs — but it’s a point-in-time snapshot of a table the attacker may have already rewritten, not a live view of the attack.

Is ARP spoofing illegal?

Running ARP spoofing against a network or devices you do not own or have explicit permission to test is illegal in most jurisdictions — it’s unauthorized interception of communications. It is a legitimate technique only in authorized penetration testing and security research on systems you control or are contracted to assess. This guide is about detecting it as a defender.

The attack is invisible.
The evidence isn’t — if you’re watching the wire.