Detect ARP Spoofing using traceroute

2.7k Views Asked by Minsu Kim At 17 April 2025 at 15:41

I'm making application that can detact arp spoofing :]

My idea is that if there is attacker in subnet, and he tried to MITM using arp poisoning, then I exec traceroute to default gateway(or changed arp cache entry, whatever).

Cuz all my packets go through attacker's PC, so traceroute will show up some sign.

Is there any problem in my idea? Is it proper? or not?

Original Q&A

There are 1 best solutions below

Mike Pennington On 05 February 2012 at 13:27

The proper way to detect arp spoofing is with software like arpwatch.

arpwatch will see that two machines are fighting over the same IP address and notify you.

Nov 10 15:59:34 debian arpwatch: changed station 192.168.1.2 0:17:9a:b:f6:f6
(0:17:9a:a:f6:44)

If you see entries like this for your IP address, then start looking for the switchport that sources the hostile mac-address in question.

As a general answer to your question, traceroute is the wrong way to detect this. Just monitor ARPs and maintain a table of mac-address to IP mappings.

Detect ARP Spoofing using traceroute

There are 1 best solutions below

Related Questions in NETWORKING

Related Questions in ARP

Related Questions in TRACEROUTE

Trending Questions

Popular # Hahtags

Popular Questions