Do not always talk about ARP Spoofing

For enterprisesNetworkThe biggest headache for administrators is probably the ARP spoofing virus, which may make it difficult for all hosts on the Intranet to access the Internet, however, in the actual maintenance process, due to the ARP spoofing virus feature, many network administrators can directly start from ARP spoofing solutions after discovering an Internet connection failure, however, we should know that not all Intranet faults are caused by ARP spoofing. In many cases, ARP spoofing has become a scapegoat for other viruses and faults, today, based on my own experience, I will introduce you to the methods for judging ARP spoofing.

　　I. Features of ARP spoofing:

ARP spoofing is a feature of local machines.GatewayThe corresponding address information is spoofed. The original correct address is tampered with by the hacker. The hacker acts as a gateway to implement ARP spoofing. When querying the arp cache table through ARP-a on a faulty computer, you will find that the MAC address corresponding to the gateway IP address is different from the normal one. The correct gateway MAC address is tampered.

In general, the gateway MAC address is different from the normal address, which is the biggest feature of ARP spoofing. Once this point is confirmed, it can be determined that there is an ARP spoofing virus in the intranet.

　　2. Coincidentally, it is regarded as ARP spoofing:

Since we know that the biggest feature of ARP spoofing virus is MAC address forgery, We can query the MAC address corresponding to the correct gateway to determine whether the Intranet is infected with the ARP spoofing virus. Generally, gateway devices of small and medium-sized enterprises can be divided into routing switch devices andServer(Single machine ). If the enterprise directly passesVroFor data forwarding, the gateway address should be the IP address of the network connection interface. If you access the Internet through a proxy or a single firewall, the gateway address should be the gateway address.Server. Next we will explain in sequence how to query the correct gateway MAC address of these devices.

(1) query the MAC address of the port on the routing switch device:

The routing switch device has many ports, each of which corresponds to a MAC address. Therefore, we must first determine which port the Intranet device is connected, after confirming the specific port, we can go to the routing switch device management interface to query the real MAC address of the port. The specific command is as follows --

First, go to the routing switch device management interface, then enter the corresponding port, and execute the display interface. For example, to query the address information of the ethernet 0 interface, we must first execute int ethernet 0 to enter the ethernet 0 interface, and then execute the display interface to query the interface information, in the displayed list, we can see the hardware address is 00-0f-e2-30-6b-84. Here, 00-0f-e2-30-6b-84 is the MAC address corresponding to the port. Of course, if we are not sure, we can also determine whether it is the gateway address we need based on the IP address information after the internet address. (1)

(2) query the MAC address of the gateway on the server:

If the gateway is a server or a single host device, it is easier to query the gateway MAC address, we only need to go to "start"> "run"> "Enter CMD and press ENTER" to enter the Command Prompt window, and then enter ipconfig/all in the command line window to view the network parameter information of the local machine, there is a line of physical address in the displayed address information, which lists the MAC address information of the server as the gateway. (2)

(3) cleverly identified as ARP spoofing:

After determining the MAC address of the gateway, we need to determine whether the Intranet fault is caused by the ARP spoofing virus, choose Start> run on any machine or a dedicated host with a problem to enter the Command Prompt window, and then run the arp-a command, here we will see all ARP cache table information listed on the local machine. Check the MAC address corresponding to the gateway IP address and check whether it is consistent with the MAC address of the gateway we previously found. If it is the same, the Intranet is not infected with the ARP spoofing virus, if the difference is true, the computer with the fake MAC address is infected with the ARP spoofing virus. (3)

　　Iii. Summary:

Not all Intranet access failures are caused by ARP spoofing viruses. I have been contacted by many network administrators to talk about ARP spoofing viruses. I hope this article can help the network management quickly locate faults, do not think that ARP spoofing viruses are the creators of Intranet failures. You must be aware of other viruses and hacker intrusion,DriverFaults and other problems will also cause Intranet access failures. We hope that the management personnel will not repeatedly start from ARP spoofing to solve all fault problems, so they will only take a detour, we still need to maintain a calm mind in troubleshooting.