ARP Poisoning and the Usage of Ettercap

Ranmal Dewage
7 min readMay 19, 2021
Source (

Before dive into ARP Spoofing, let understand what is ARP(Address Resolution Protocol) means. The logical address (IP address) is used by machines to send and receive messages. But the physical address (MAC address) in layer 2 of the OSI model is responsible for the actual communication to happen. So we should get the destination MAC address which helps in communicating with other devices. This is where ARP comes into the picture. It is the protocol that is responsible for the mapping of IP addresses to their corresponding MAC addresses. The ARP protocol provides two basic functions;

  • Resolving IPv4 addresses to MAC addresses: For a frame to be placed on the LAN media, it must have a destination MAC address. When a packet is sent to the Data Link Layer to be encapsulated into a frame, the node refers to a table in its memory to find the Data Link Layer address that is mapped to the destination IPv4 address. This table is called the ARP Table or the ARP Cache. The ARP table is stored in the RAM of the device. You can view your ARP cache by issuing the arp -a command in the Command Prompt or Windows Powershell. Each entry, or row, of the ARP table, has a pair of values as an IP Address and a MAC address. The relationship between the two values is called a Map. It simply means that you can locate an IP address in the table and discover the corresponding MAC address. The ARP table caches the mapping for the devices on the LAN.
Figure 1: ARP Cache Table
  • Maintaining a cache of mappings: The ARP table is maintained dynamically. There are two ways that a device can gather MAC addresses. One way is to monitor the traffic that occurs on the local network segment. As a node receives frames from the media, it can record the source IP and MAC address as a mapping in the ARP table. As frames are transmitted on the network, the device populates the ARP table with address pairs. Another way a device can get an address pair is to broadcast an ARP request. ARP sends a layer 2 broadcast to all devices on the Ethernet LAN. The frame contains an ARP request packet with the IP address of the destination host. The node receiving the frame identifies the IP address as its IP address and responds by sending an ARP reply packet back to the sender as a unicast frame. This response is then used to make a new entry in the ARP table. These dynamic entries in the ARP table are timestamped. If a device does not receive a frame from a particular device before the expiration of the timestamp. Then the entry for that device is removed from the ARP table. Additionally, static map entries can be entered in an ARP table, but this is rarely done. Static ARP table entries do not expire over time and must be manually removed.

ARP Process of making requests to the IPs outside LAN

Figure 2: Asking for MAC address of Default Gateway
Figure 3: Layer 2 Broadcast in LAN to find Default Gateway MAC
Figure 4: Host B ignores the Broadcast Message
Figure 5: Default Gateway responds to the Broadcast Message with its MAC
Figure 6: Host A update its ARP Cache with IP and MAC address mapping

First of all, Host A is requesting an IP address that is not in the range of the Local Area network IPs. Therefore, it will ask for the MAC address of the default gateway IP ( in this cases) by sending a layer 2 broadcast message to all the hosts in the LAN. As shown in figure 4, Host B will ignore the message as it is not matching with its IP. But router default gateway recognizes it as its IP address and responds to Host A by including the MAC address in the response. After that, Host a will dynamically cache that mapping in ARP cache. Now whenever sending traffic to the outer networks, Host A will use that MAC address together with the default gateway IP address for the generation of frames for the Data Link Layer of the OSI model.

ARP Spoofing/Poisoning

ARP Spoofing is a technique where the attacker sends Malicious ARP Packets to the default gateway and to the host who is communicating with the default gateway in the local area network. The main intention is to associate the attacker’s MAC address with the IP address of another host, such as the default gateway, causing any traffic meant for that IP address to be sent to the attacker instead. It allows the attacker to modify traffic and intercept data frames. As a result, leading to a comma attacking terminology called the Man in the Middle Attack (MITM).

Figure 7: Now Host B which is the Unethical Hacker/Attacker launch an ARP Poisoning Attack
Figure 8: Hacker modified the ARP Cache of Host A
Figure 9: Re-route the traffic of Host A to the Attacker
Figure 10: After reading data packets Attacker route the traffic to Default Gateway

Imagine the Host B in the above scenario is an Unethical Hacker/Attacker. He/She can use some hacking tools like Ettercap and modify the ARP cache of the host and default gateway. Then listen and capture the data frames exchange between them. Let see how we can use a tool like Ettercap to achieve such tasks.

Usage of Ettercap

If you have a Kali Linux operating system Ettercap program is by default installed in the system. Ettercap is a graphical interface that’s very beginner-friendly, unlike many of the programs that are command-line-based only. If you don’t have it in your system by default, use the following command to install it.

> apt install ettercap-graphical
Figure 11: Kali Linux Operating System
Figure 12: Open the Ettercap Program
Figure 13: Ettercap Home Screen
Figure 14: Click The Tick icon on the top right corner to run the Ettercap

First, open the Ettercap program then you will get the display as shown in figure 13. Then click the Tick icon on the top right corner to run the Ettercap programs, as shown in figure 14. After that click the Three Dot icon and go inside Host. After that, select the Scan for hosts option. To display the list of scanned hosts on the network, again go inside the Host and select the Host list option. Now you can see the hosts available in the local network, as shown in figure 19 below.

Figure 15: Host option inside Three dots icon
Figure 16: Scan for host option inside Host option
Figure 17: Scanning Summary
Figure 18: Host list option inside Host option
Figure 19: Summary of the list of hosts available inside the local network

To initiate the ARP poison attack click on the host and the default gateway to add them to the target, as shown in figures 20 and 21. After that, to start the ARP poison attack, click the Globe Icon in the top right corner and select the ARP Poisoning MITM option, as shown in figure 22. Now, as the attacker, you can use the Wireshark tool to trace the packet transfer between the host and the default gateway. Let’s image as the victim you are communicating with the HTTP protocol-based website. The moment you enter the username and password for that website, the attacker can filter that traffic and obtain the username and password through Wireshark, as shown in figures 24 and 25. Also, it will notify the attacker’s Ettercap program, as shown in figure 26. The password and username are visible due to the usage of the unencrypted HTTP protocol.

Figure 20: Add Host as a Target in Ettercap
Figure 21: Add Default Gateway as a Target in Ettercap
Figure 22: Selecting ARP poisoning option to start the ARP poison MITM
Figure 23: Filter ARP request in Wireshark
Figure 24: Filter frames that contain PWD (password) field
Figure 25: Explore PWD (password) field in Wireshark as messages are not encrypted since using the HTTP protocol
Figure 26: Ettercap automatically detect and display packets or frames with PWD (password) fields

Nowadays, ARP Poisoning is rare and avoided due to reasons like the usage of encrypted communication in HTTPS protocol, Dynamic ARP Inspection, Static ARP Entries, VPNs, and Packet Filters. This article is prepared to make awareness of such exploitations toward users and developers. Always use this knowledge to solve troubles that happen to others and yourself, but not to cause any trouble for others. Knowing how to use these exploits is like having superpowers. The action you do with your power defines who you are, whether you are a Superhero😇✌ or a Supervillain 😈👎.



Ranmal Dewage

Software Engineer at Sysco Labs, Graduate of Sri Lanka Institute of Information Technology (SLIIT).