LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What does arp -a show, and how can you tell from the ARP table that you've been ARP-poisoned?

arp -a lists IP↔MAC mappings the host has cached. After poisoning, you'll see the gateway's IP paired with the attacker's MAC — same MAC for two different IPs is a giveaway.

Normal output:

? (192.168.1.1) at 00:11:22:33:44:55 [ether] on eth0   ← real gateway
? (192.168.1.42) at AA:BB:CC:DD:EE:FF [ether] on eth0  ← some other host

Poisoned output:

? (192.168.1.1) at AA:BB:CC:DD:EE:FF [ether] on eth0   ← gateway IP, attacker MAC!
? (192.168.1.42) at AA:BB:CC:DD:EE:FF [ether] on eth0  ← attacker IP, attacker MAC

Same MAC in two rows = red flag.

Cross-platform:

OS Command
Linux ip neigh (modern) or arp -a (legacy)
Windows arp -a
macOS arp -a

Detection in practice:

  • Compare current MAC of gateway to a known-good baseline
  • Tools like arpwatch monitor changes and alert
  • Switch with Dynamic ARP Inspection rejects forged ARPs

Why ARP cache lifetime matters:

Default ARP cache timeout is short (60-300 seconds). After cache entries expire, your machine ARPs again — if the attacker is still flooding forged ARPs, the new entry is poisoned again. If they stopped, you'd get the real MAC.

Sanity check the gateway:

ip route                     # See current default gateway IP
arp -n | grep <gateway_ip>   # Get its MAC
# Compare to expected MAC (from inventory, baseline, or a trusted host)

Tip: On a switched network, normally you don't see other hosts' MACs unless you've talked to them. After a sweep + DHCP request, your ARP table fills up — and that's also when poisoning becomes detectable.

Go deeper:

From Quiz: INTROL / Man in the Middle (MitM) | Updated: Jul 14, 2026