Is XArp detecting a false positive?

Today I really got into ARP protocol and its attacks. I tried to download xArp to test my network and it said there was an attack detected. Then I researched something more about it, but I found nothing that actually concerned it. Sometimes, it popped out an alert saying the PC sent a frame but the destination coincided (the source address was the PC and recipient address was broadcast FF:FF:FF...) This afternoon I run again xArp to check if something had changed. Accidentally, I switched the connection on my phone (from my main network to a repeater), and I saw that another attack was detected. Then, I tried to connect back my phone and the program gave me the same result. Since an ARP attack is detected by XArp when there is a request from a device with the same MAC address as another one, but with a different IP address, and since the requests from the repeater have the same MAC (the repeater's) but different IPs (the devices'), do you think this is related? Is it a false positive?

Please let me know if you think I got something wrong or there's another explanation. Thanks.

1 Answer

You are most likely correct about the repeater. If it's connected to a regular Wi-Fi network, it will be forced to use its own MAC address due to limitations of Wi-Fi client connections. (It's unfortunate that 4addr mode is so uncommon among wireless routers.)

However, the pattern is the opposite from what you describe – a device with a single MAC address having multiple IPs is completely valid.1 Rather it's a single IP address moving between different MAC addresses that often indicates an ARP spoofing attack.

So when your phone switches to a repeater, to the rest of the network it can definitely look like the repeater is sending spoofed packets with the phone's IP address on them, because the MAC address is suddenly different.


1 (PCs can have multiple IPs assigned to them at once. Also, all packets going through a router will always be sent from the router's own MAC address.)

1

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like