Count ARP packets under ARP poisoning attacks

Carter Bullard carter at
Mon Nov 18 10:20:37 EST 2013

Hey Raphael,
I have found a bug in ARP flow generation that I’ve corrected
in argus-  Seems to be very recent bug, and something
that is easy to correct in the clients, so all the data is
still good.  Any chance I can get some packets that represent
your ARP poisoning attack so I can make sure that the fix
fixes the problem you reported ????

Hope all is most excellent,


On Nov 15, 2013, at 2:58 AM, Raphael Campos Silva <raphaelcampos.rp at> wrote:

> Hello everybody,
> I'm doing a Intrusion Detection System(IDS) for detect ARP Anomaly in local network, so I get all the ARP packets that pass through the Argus and I store it in MySQL. Everything is fine with that, but when I make some attacks in local network, as ARP poisoning, the Argus count the answers (based on ARP poisoning) as requests. For example:
> +-------------+-------------+---------+---------+---------+---------+
> |   saddr    |   daddr   | spkts | dpkts  | smac | dmac |
> +------------- +------------+---------+---------+---------+---------+
> | | |   6     |   0      |     A   |    B    |
> +--------------+------------+---------+---------+---------+---------+
> I sent 6 fake answers (by ARP poisoning) and the Argus count that as 'counter source packets'. For the altenative solution, I just toggle the values (spkts and dpkts) because I know, based on dmac, that dmac isn't a Broadcast packet.
> Is that a problem with Argus, or I'm missing something ?
> Thanks
> -- 
> Raphael

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <>

More information about the argus mailing list