An Introduction to ARP Spoofing
P U R P O S E
This paper deals with the subject of ARP spoofing. ARP spoofing is a method of exploiting the interaction
of IP and Ethernet protocols. It is only applicable to Ethernet networks running IP.
The subject will be addressed such that anyone with basic networking experience can understand key
points of the subject. Knowledge of the TCP/IP reference model is vital to full understanding, as is a familiarity
with the operation of switched and non-switched networks. Some background will be presented in the
“Introduction” section, but experienced readers may wish to skip to “Operation”.
I N T R O D U C T I O N
A computer connected to an IP/Ethernet LAN has two addresses. One is the address of the network card,
called the MAC address. The MAC, in theory, is a globally unique and unchangeable address which is stored on the
network card itself. MAC addresses are necessary so that the Ethernet protocol can send data back and forth,
independent of whatever application protocols are used on top of it. Ethernet builds “frames” of data, consisting
of 1500 byte blocks. Each frame has an Ethernet header, containing the MAC address of the source and the
The second address is the IP address. IP is a protocol used by applications, independent of whatever
network technology operates underneath it. Each computer on a network must have a unique IP address to
communicate. IP addresses are virtual and are assigned via software.
IP and Ethernet must work together. IP communicates by constructing “packets” which are similar to
frames, but have a different structure. These packets cannot be delivered without the data link layer. In our case
they are delivered by Ethernet, which splits the packets into frames, adds an Ethernet header for delivery, and
sends them down the cable to the switch. The switch then decides which port to send