arpspoof: Forge ARP Replies to Intercept Packets

arpspoof is a tool that forges ARP replies to redirect traffic through your machine. Use it responsibly and only on networks you own or have permission to test.

Quickstart: your first, simple intercept

Three common scenarios are shown below. Replace the placeholders with real values from your network.

• Poison all hosts on an interface for a host:

sudo arpspoof -i {{wlan0}} {{host_ip}}

• Poison a specific target to intercept packets on an interface for the host:

sudo arpspoof -i {{wlan0}} -t {{target_ip}} {{host_ip}}

• Poison both target and host to intercept packets on an interface for the host (redirects traffic between target and host):

sudo arpspoof -i {{wlan0}} -r -t {{target_ip}} {{host_ip}}

What arpspoof does

• ARP spoofing: it sends crafted ARP replies to poison the ARP cache of other machines on the local network.
• Intercept/tap traffic: the attacker’s machine becomes a man-in-the-middle for the specified hosts.
• Requires root privileges and a reachable gateway/host on the same L2 network.

Quick tips and common pitfalls

• Network scope: ARP spoofing only affects machines on the same broadcast domain. Routers and switches with ARP inspection may block spoofed replies.
• IP forwarding: if you intend to forward traffic through your machine, enable IP forwarding:

sudo sysctl -w net.ipv4.ip_forward=1

• Monitoring vs. interference: arpspoof only rewrites ARP tables; you need additional tooling to inspect or capture traffic, e.g., tcpdump or Wireshark.
• Cleanup: after testing, restore ARP tables. Close the session to stop poisoning.
• Legality and ethics: conduct only on networks you own or have explicit permission to test.

Common pitfalls

• Forgetting to specify the correct interface: ARP poisoning is local to the interface you choose with -i.
• Running without root: arpspoof requires elevated privileges; use sudo.
• Wrong target syntax: ensure you provide correct IPs for target and host, otherwise you may not see the intended traffic.

How to safely experiment in a lab

• Create a controlled lab network with a few hosts or VMs.
• Disable interfering security features if you’re troubleshooting, but re-enable them after testing.
• Use capture tools to verify you’re seeing traffic you expect:

sudo tcpdump -i {{wlan0}} icmp or port 80

Further reading

• Official man page: https://manned.org/arpspoof
• Understand ARP and MITM concepts to avoid misconfigurations.

See Also

• What is the Raw Command in Unix?
• Discover the Power of ltrace for Dynamic Library Monitoring in Linux
• ar command: Create, modify, and extract Unix archives
• How to Use the iostat Command for Linux Performance Monitoring
• What Can uname do in Linux?
• How Can You Master the rev Command in Linux?