In the arpspoof command, what do the -t target and the trailing host arguments mean, and why is getting them right essential?
-t target is the machine whose ARP cache you poison; the trailing host is the identity you impersonate toward that target. In other words, you tell the target that the host's IP now lives at your MAC.
The syntax:
sudo arpspoof -i [interface] -t [target] [host]
Read it as: "On this interface, tell target that host is at my MAC."
Worked example (victim 192.168.1.42, gateway 192.168.1.1):
# Poison the victim: "the gateway is at my MAC"
sudo arpspoof -i eth0 -t 192.168.1.42 192.168.1.1
# Poison the gateway: "the victim is at my MAC"
sudo arpspoof -i eth0 -t 192.168.1.1 192.168.1.42
Why both directions:
One command poisons only one cache, so you'd capture traffic in a single direction. To MitM a full conversation you must poison both the victim (so its outbound traffic comes to you) and the gateway (so the replies come back to you). The -r flag does both with one command.
The classic mix-up:
Swapping target and host poisons the wrong cache (or tells a host it's at your MAC, which does nothing useful). The mental model — "target hears a lie about host" — keeps it straight.
Tip: Of arpspoof's four options (interface, target, host, and the -r toggle) you supply three for a one-direction attack: interface, target, host. Forgetting -i makes arpspoof guess the interface, which often picks the wrong one on a multi-NIC box.
Go deeper:
dsniff (official page) — the toolkit that ships arpspoof; forging ARP replies to redirect LAN traffic.
dsniff (Wikipedia) — the suite (arpspoof, dnsspoof, sshmitm) and how arpspoof intercepts switched-LAN traffic.