Understanding ARP at the MAC layer

There’s a technique called ARP Spoofing.

ARP (Address Resolution Protocol) is a link layer protocol, it is used for resolving network layer address (IP) into link layer address (MAC).

When we want to send IP packet to another host (a computer in the same LAN, or the Gateway), we must know the destination IP address. In order for the packet to reach the destination, the destination IP address must be converted to the corresponding MAC address, so the transmission can be processed in the data link layer. To setup this mapping IP-MAC in the ARP table, we must first send ARP request as broadcast one to the LAN. In the happy case, the one with the IP in the ARP request will reply us with his MAC address.

Unfortunately, ARP is a stateless protocol. This means we continue to accept ARP replies and overwrite the old ones, even they have not expired yet. Worse, ARP does not define any authentication method to check whether the replies come from the trusted one (the one we want to receive the replies). These offer chances for the attacker to perform ARP Spoofing.

The theory behind ARP Spoofing

From the machine in the LAN, the attacker associate his MAC address and IP address of the target host (usually the Gateway), so that any traffic sent to that target host will come to…