ARP Spoofing, find and stop?

I was using Wireshark to look at some things on my network and noticed a couple devices showing as mfgname:ab:cd:ef (so, manufacturer and last 3 octets of the MAC address) rather than the ip address that I have set as the fixed lease. The devices are using those addresses as far as I can tell, though.

I did some searching and this is apparently a possibly indicator of arp spoofing.

So, I checked the ipfire logs and nothing jumps out…but, I don’t really know what would be logged.

I have since added arpalert and am checking the log regularly.

Would I see something in the ipfire logs that would indicate arp spoofing?

If so, is there something there I can/should use to make firewall rule?

My reading, so far, has not found much info on how to actually identify it and steps to stop it. If you know a good source of such info, please point me to it.

Please add a few lines of what you see in Wireshark. A screen snapshot might do. This should help others assist you.

I hope the following page will explain a lot



Thanks to all for the replies.

Yes the link shows what I’m seeing. But, here I see it in the capture window, not the detail window as they show.

So it appears it is just some magic that Wireshark does. Knowing the OUI terms should make it easier to search.

What do you see for other ARP packets?

This is right. As you have shown in your Wireshark image, these are ARP packets. They operate at MAC level. There is no IP address known.
For example the ARP request message “Who has IP” asks for the MAC associated to the IP. Sender address is the MAC of the asking device, destination is ( broadcast, “all” ).
The answer is directed to sender MAC.

BTW: ‘Normal’ packets contain MAC addresses also, but they work on IP level ( IP1 —> IP2 ); the sender and receiver MAC may not be the MACs of the two endpoints, if some router and/or switch is on the data way.