Facing the local area network into hundred computers, one by one to detect is obviously not a good way. In fact, we just use the basic principle of ARP virus: To send fake ARP spoofing broadcast, poisoning the computer itself disguised as a gateway characteristics, can quickly lock poisoned computers. You can imagine using the program to achieve the following functions: When the network is normal, firmly remember the correct gateway IP address and MAC address, and real-time monitoring from the entire network of ARP packets, when found that there is an ARP packet broadcast, its IP address is the correct gateway IP address, But its MAC address is actually the MAC address of other computers, at this time, there is no doubt that ARP spoofing occurred. To this suspicious MAC address alarm, in accordance with the network normal time of the IP-MAC Address Table query the computer, locate its IP address, so that the location of a poisoned computer. The following details how to use the command line method to detect ARP poisoned computers.
Command Line method
This method is relatively simple, without the use of Third-party tools, the system with the ARP command can be completed. When ARP spoofing occurs in the LAN, ARP virus computers will send ARP spoofing broadcast to the whole network, then other computers in the LAN will dynamically update their own ARP cache table, and the MAC address of the gateway will be recorded as the MAC address of the ARP virus computer. At this time we only in other affected computers to inquire about the current Gateway MAC address, we know the MAC address of the poisoned computer, query command for ARP-A, need to be in the CMD command prompt line input. The returned information after the entry is as follows:
Internet Address Physical Address Type
192.168.0.1 00-50-56-e6-49-56 Dynamic
At this point, because this computer's ARP table is the wrong record, so the MAC address is not a real gateway MAC address, but toxic computer MAC address! At this time, and then according to the network normal, the whole network of IP-MAC Address table, to find toxic computer IP address on it. Thus, when the network is normal, it is important to save a IP-MAC address table for a whole network of computers. You can use the Nbtscan tool to scan the IP address and MAC address of the entire network segment and save it for later use.