/ THREATS — ARP SPOOFING · CRITICAL

ARP Spoofing

The attacker becomes an invisible middleman between you and your router.

/ WHAT IT IS

What it is

ARP spoofing — also called ARP poisoning — is the classic way an attacker on your local network turns themselves into an invisible middleman between you and your router.

Every device on a network uses ARP (the Address Resolution Protocol) to map IP addresses to hardware MAC addresses. ARP was designed without any authentication: devices simply trust whatever ARP replies they receive. An attacker exploits that trust by lying about who they are.

Once the attack succeeds, everything you send flows through the attacker’s machine first. Anything unencrypted — and the metadata of everything else — is theirs to read.

/ THE ATTACK

How attackers do it

The attacker broadcasts forged ARP messages onto the network. They tell your device, “the router’s IP address is at my MAC,” and they tell the router, “your device’s IP is at my MAC too.” Both sides update their ARP caches and start sending traffic to the attacker, who quietly forwards it on so nothing looks broken.

path you think you haveYOUyour laptopROUTERthe gatewayATTACKERone MAC, claimed as both
ARP MITMevery packet detours through the attacker before reaching your router

Most tools deliver this with a stream of unsolicited or gratuitous ARP replies, repeated often enough to keep the poisoned mapping fresh in everyone’s cache.

The reason it’s so dangerous is that it’s passive from your side. Your pages still load, your apps still work — the attacker is simply copying everything on the way through.

/ DETECTION

How we detect it

WifiThreatWatch watches the actual network traffic for the attack as it happens. A dedicated capture thread runs a packet sniffer over Npcap, capturing ARP frames off the wire in real time — instead of periodically reading a table the attacker has already rewritten.

That distinction matters. The naive approach pings the gateway and reads a single MAC from the ARP cache every 30 seconds — but an attacker who poisons and holds the cache passes that check forever, because the cache just shows the attacker’s MAC as “the gateway.” Reading the cache can never witness the poisoning happen. Sniffing the wire can.

READ THE CACHE — EVERY 30s
gateway → 3c:22:fb
PASS
A held poisoned cache reads clean forever.
SNIFF THE WIRE — LIVE
·
192.168.0.9 is-at 9a:04:e1
192.168.0.1 is-at 3c:22:fb
≠ baseline · CAUGHT
·
192.168.0.7 is-at 1f:88:0d
·
192.168.0.1 is-at e8:d1:1b
·
192.168.0.9 is-at 9a:04:e1
192.168.0.1 is-at 3c:22:fb
≠ baseline · CAUGHT
·
192.168.0.7 is-at 1f:88:0d
·
192.168.0.1 is-at e8:d1:1b
CACHE vs WIREreading the table can't witness the poisoning happen; sniffing the wire can

We reason about three signals:

Gateway impersonation — your router’s IP announced with a MAC that differs from the trusted baseline (raised as a critical alert). Conflicting bindings — the same IP asserting two different MACs inside a 30-second window. Unsolicited replies — broadcast and self-targeted ARP announcements, treated as corroborating evidence.

FREE FOREVERFree in every WifiThreatWatch install.
[ arp_sniffer.py — scapy AsyncSniffer over Npcap ]
/ RESPONSE

How we stop it

A detection doesn’t immediately panic you. First we run a two-signal verification — an active probe of your gateway plus live sniffer activity — to confirm the attack is genuinely happening and not a stale poisoned cache from an attack that already ended.

When it’s confirmed, you can tap Protect Me. We disconnect, randomize your MAC address, and pull a fresh IP — breaking the attacker’s targeting — then bring up an encrypted self-hosted VPN tunnel. If the attacker re-poisons, we change identity again, up to five times.

RE-POISONEDattacker re-asserts the gateway MAC
IDENTITY CHANGES
12345
RECLAIM LOOPif the attacker re-poisons, we change identity again — up to five times — until the lock breaks

See the full Active Defense flow →

WITH SUBSCRIPTIONActive Defense + VPN response. Requires subscription (or the free 10-minute trial).

See it in action.
Download WifiThreatWatch.