Introduction

ARP (Address Resolution Protocol) spoofing, also known as ARP poisoning, is a cyberattack where an attacker sends falsified ARP messages over a local network. This malicious activity associates the attacker’s MAC address with the IP address of a legitimate device, redirecting traffic intended for the victim to the attacker instead.

This article demonstrates how ARP spoofing can be implemented in NetSim, a network simulation tool, by modifying ARP protocol behavior and analyzing the attack’s impact.

How ARP Spoofing Works?

  1. Normal ARP Behaviour: Devices on a LAN use ARP to map IP addresses to MAC addresses.
  2. Spoofing: The attacker sends forged ARP replies to the victim/gateway, associating the attacker’s MAC with the IP of the gateway or target.

Example Network Scenario: 

  • Attacker Node: Smart Meter A (192.168.1.10)
  • Victim Node: Smart Meter C (192.168.1.12)
  • Target Server: Server Collector (128.11.1.25)

Smart Meter A poisons the Data Collector’s ARP cache, making it believe Smart Meter A’s MAC address corresponds to Smart Meter C’s IP. This allows Smart Meter A to send falsified data to the Server Collector while impersonating Smart Meter C.

Network Setup in NetSim

Software: NetSim Standard v14.3, Visual Studio 2022 

Project Download Link

https://github.com/NetSim-TETCOS/ARP-Spoofing-v14.3/archive/refs/heads/main.zip

Follow the instructions specified in the following link to download and set up the Project in NetSim: 

https://support.tetcos.com/en/support/solutions/articles/14000128666-downloading-and-setting-up-netsim-fileexchange-projects



The simulation involves:

  • Home Area Network (HAN): Smart Meters (A, B, C)

  • Neighbor Area Network (NAN): Access Points

  • Wide Area Network (WAN): Data Collector & Server

Key Devices:

DeviceIP AddressRole
Smart Meter A192.169.0.3Attacker
Smart Meter C192.169.0.2Victim
Server Collector192.168.0.2Target Destination


Source Code Modifications

To simulate ARP spoofing, the following changes were made in NetSim’s source code:

ARP Protocol Modifications

  1. GenerateArpRequest.c
    • Defined attacker (Smart Meter A) and victim (Smart Meter C) nodes.
    • Modified fn_NetSim_Generate_ARP_Request() to include a false IP address in ARP packets.
  2. ARP.c
    • Added fn_NetSim_ARP_Table_Update_Log() to log ARP table changes for analysis
       

3. Application Project Modifications

  • In Application.h, attacker and victim nodes were defined.
  • In Database_FTP_Custom.c, the function fn_NetSim_Application_StartDataAPP() was altered to spoof the source IP in data packets.
  • In Application.c, fn_NetSim_Application_GenerateNextPacket() was updated to maintain the spoofed IP in subsequent packets.

Simulation Configuration

  • Enable packet trace prior to the simulation, by clicking on configure reports on top ribbon and disable the static ARP table by clicking on Options > Static ARP > Disable.
  • Run the simulation for 10 seconds.

Results and Analysis

The screenshot below displays the NetSim packet trace with packets filtered to show Smart Meter A (the attacker node) as the transmitter. Both the ARP request and the data packets sent from the attacker node have a spoofed source IP address (192.169.0.2) instead of its actual IP address (192.169.0.3).

ARP Logs

The logs (ARP_log.csv) show manipulated ARP table entries:


IP Address
MAC Address
Type
192.169.0.2
Victim node (Smart Meter C)
DYNAMIC



This confirms that the Data Collector’s ARP cache was poisoned, believing Smart Meter A’s MAC corresponds to Smart Meter C’s IP.

Conclusion

This article demonstrated how ARP spoofing can be simulated in NetSim by modifying ARP behavior and analyzing the attack’s impact.