Count ARP packets under ARP poisoning attacks

Raphael Campos Silva raphaelcampos.rp at
Fri Nov 15 02:58:45 EST 2013

Hello everybody,

I'm doing a Intrusion Detection System(IDS) for detect ARP Anomaly in local
network, so I get all the ARP packets that pass through the Argus and I
store it in MySQL. Everything is fine with that, but when I make some
attacks in local network, as ARP poisoning, the Argus count the answers
(based on ARP poisoning) as requests. For example:

|   saddr    |   daddr   | spkts | dpkts  | smac | dmac |
+------------- +------------+---------+---------+---------+---------+
| | |   6     |   0      |     A   |    B    |

I sent 6 fake answers (by ARP poisoning) and the Argus count that as
'counter source packets'. For the altenative solution, I just toggle the
values (spkts and dpkts) because I know, based on dmac, that dmac isn't a
Broadcast packet.

Is that a problem with Argus, or I'm missing something ?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the argus mailing list