Files
Anthropic-Cybersecurity-Skills/skills/detecting-arp-poisoning-in-network-traffic/references/api-reference.md
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

1.7 KiB

ARP Poisoning Detection — API Reference

Libraries

Library Install Purpose
scapy pip install scapy PCAP parsing and ARP packet analysis

Scapy ARP Packet Fields

Field Description
op Operation: 1=request, 2=reply
hwsrc Source MAC address
psrc Source IP address
hwdst Destination MAC address
pdst Destination IP address

ARP Spoofing Indicators

Indicator Description Severity
Duplicate MACs for IP Same IP mapped to multiple MACs CRITICAL
MAC claiming many IPs One MAC responding for 3+ IPs HIGH
Gratuitous ARP flood Excessive unsolicited ARP replies MEDIUM
ARP flip-flop IP/MAC mapping changes rapidly HIGH

Scapy PCAP Analysis

from scapy.all import rdpcap, ARP
packets = rdpcap("capture.pcap")
arp_replies = [p for p in packets if ARP in p and p[ARP].op == 2]

System ARP Table

arp -a                  # Display ARP table
arp -d <ip>            # Delete ARP entry
ip neigh show          # Linux: show neighbor table

arpwatch Database Format

<mac>\t<ip>\t<timestamp>\t<hostname>

Detection Tools

Tool Description
arpwatch Monitors ARP table changes, emails on flip-flop
arpsnitch Real-time ARP spoofing alert
XArp Advanced ARP spoofing detection
Snort rule alert arp any any -> any any (msg:"ARP spoof"; ...)

External References