5. ARP Poisoning

Let's take an example to highlight the issue. The following is a command to TCPDUMP to listen for all traffic destined for Google and to write the information retrieved to a file called goog.txt.

This is like the example of our chatty postman who shows everybody our mail. By the way, a more intuitive program for this purpose is the freely available ETHEREAL.

Now open up google and run a query:

If we look at the contents of our goog.txt file we find:

If I'm on a switched network, it means that traffic is routed directly to the intended PC. Since my PC is not in the 'path' to listen to switched traffic, I need to do something to get the target computers to communicate with me. I need to confuse the postman into thinking that all the post traveling between houses A and B should actually go through me.

It is the nature of a network that connected machines need to request addressing information from other machines to enable communication. Once this is established, each machine retains an ARP cache that contains an address list of other connected machines that it needs to talk to regularly. This information is acquired on an as need basis; otherwise, every machine on the Internet would have the address of every other machine whether or not it needed to communicate with it.

Say that PC-A is talking to PC-B. Each of these computers has an IP (Internet protocol) address, and a MAC address.

These machines have requested addressing information from each other and updated that data in their respective ARP cache.