First, let me introduce you the tools I use are Ax3soft Sax2, there are many
such tools, such as Sniffer, Snort, Ethereal, etc, I do not think that the
Sax2 is the best tool, I just think that Sax2 is easy-to-use, it can quickly
and accurately locate ARP source when ARP attack happens to the network, so
as to ensure normal and reliable network operation.
Solution:
First, launch sax2 and switch to the Diagnosis View.
Diagnosis View is the most direct and effective place to locate ARP attack
and should be our first choice. Its interface is displayed as picture1.
[img]http://www.ids-sax2.com/articles/images/QuickLocateARPAttackSource.gif[
/img] (picture1)
Picture 1 definitely points out that there are two kinds of ARP attack
event, ARP Scan and ARP MAC address changed, in the network, and the attack
source is clearly given at the bottom. Meanwhile, Sax2 NIDS will provide
reasons of such ARP attacks and corresponding solutions.