ARP Spoofing
The attacker becomes an invisible middleman between you and your router.
What it is
ARP spoofing — also called ARP poisoning — is the classic way an attacker on your local network turns themselves into an invisible middleman between you and your router.
Every device on a network uses ARP (the Address Resolution Protocol) to map IP addresses to hardware MAC addresses. ARP was designed without any authentication: devices simply trust whatever ARP replies they receive. An attacker exploits that trust by lying about who they are.
Once the attack succeeds, everything you send flows through the attacker’s machine first. Anything unencrypted — and the metadata of everything else — is theirs to read.
How attackers do it
The attacker broadcasts forged ARP messages onto the network. They tell your device, “the router’s IP address is at my MAC,” and they tell the router, “your device’s IP is at my MAC too.” Both sides update their ARP caches and start sending traffic to the attacker, who quietly forwards it on so nothing looks broken.
Most tools deliver this with a stream of unsolicited or gratuitous ARP replies, repeated often enough to keep the poisoned mapping fresh in everyone’s cache.
The reason it’s so dangerous is that it’s passive from your side. Your pages still load, your apps still work — the attacker is simply copying everything on the way through.
How we detect it
WifiThreatWatch watches the actual network traffic for the attack as it happens. A dedicated capture thread runs a packet sniffer over Npcap, capturing ARP frames off the wire in real time — instead of periodically reading a table the attacker has already rewritten.
That distinction matters. The naive approach pings the gateway and reads a single MAC from the ARP cache every 30 seconds — but an attacker who poisons and holds the cache passes that check forever, because the cache just shows the attacker’s MAC as “the gateway.” Reading the cache can never witness the poisoning happen. Sniffing the wire can.
We reason about three signals:
Gateway impersonation — your router’s IP announced with a MAC that differs from the trusted baseline (raised as a critical alert). Conflicting bindings — the same IP asserting two different MACs inside a 30-second window. Unsolicited replies — broadcast and self-targeted ARP announcements, treated as corroborating evidence.
How we stop it
A detection doesn’t immediately panic you. First we run a two-signal verification — an active probe of your gateway plus live sniffer activity — to confirm the attack is genuinely happening and not a stale poisoned cache from an attack that already ended.
When it’s confirmed, you can tap Protect Me. We disconnect, randomize your MAC address, and pull a fresh IP — breaking the attacker’s targeting — then bring up an encrypted self-hosted VPN tunnel. If the attacker re-poisons, we change identity again, up to five times.
See the full Active Defense flow →
Evil Twin
A fake access point broadcasts your network’s name to lure your device onto attacker-controlled hardware.
Read more →Rogue Device
A device you never authorized quietly joins your network and gains a foothold on your LAN.
Read more →Homoglyph SSID
A network named with look-alike Unicode characters renders identical to yours but isn’t.
Read more →