In ARP spoofing, is it two MACs mapping to one IP address OR two IPs mapping to one MAC address?

As far as I understand, it should be two MACs mapping to one IP. But I came across this question which has tick mark (accepted as best answer) on it and mentions the opposite:

ARP spoofing tries to do something different: two IP addresses (or two links) which map to one MAC address.

And moreover when I use Wireshark I do get the error "duplicate IP address detected". Both the machines are sending "I have IP address X" (and mention their own MAC along with) so why is it not two MAC mapping to one IP? What am I missing here?

  • 123,438
  • 55
  • 284
  • 319
Sunny Nehra
  • 11
  • 1
  • 3

3 Answers3


The answer is correct. When ARP poisoning happens, the attacker machine is saying "Hi, I am, my MAC is AABBCCDDEEFF". And the victim machine is saying "Hi, I am, my MAC is 112233445566".

Two machines with the same MAC. Why? It's because on the Ethernet layer, IP does not mean anything. The MAC is the address used to route the packet. And when someone needs to send a packet to, it's the MAC address that defines who will receive the packet, not the IP. if the MAC is already cached, the packet is sent right away.

Otherwise, the sender will issue an ARP Request: who is Tell, the owner of the IP will reply, and will put the entry on its cache table.

You are seeing those "duplicate IP address detected" because 2 (or more) MAC addresses are replying to the same IP. When a message ARP Request: who is Tell is sent, both the attacker and the victim are telling they own that IP, and giving their own MAC addresses.

  • 50,648
  • 13
  • 127
  • 142
  • brother i know that already that on layer 2 it's MAC that does the job and not the IP. but see from your own example : "Hi, I am, my MAC is AABBCCDDEEFF" and "Hi, I am, my MAC is 112233445566". This is what i am trying to point out. Isn't it clearly one IP pointing to two MAC ? and rest all what you wrote brother i already know that. This is the thing i am asking about. – Sunny Nehra Sep 11 '18 at 21:37
  • _"Isn't it clearly one IP pointing to two MAC?"_ IP does not point anywhere, it's a MAC addresses that claim to have the IP. One MAC claiming 2 IP addresses is fine. You can have _alias_ on an interface, and add more addresses on the same physical interface. – ThoriumBR Sep 12 '18 at 11:38

You're right: narrowly speaking, to perform ARP spoofing is to provoke confusion between one IP address and two MAC addresses. But there are two related terms here that are being conflated: ARP spoofing and ARP collision.

An ARP collision is when two or more computers are responding to an ARP request with different answers: in other words, it's one IP address with two MACs.

ARP spoofing has more to do with situation and intent: it's an attempt to use ARP to get packets delivered to a destination the network administrator didn't intend. The result will usually be ARP collisions. But since "spoofing" describes a situation, rather than an event, it's likely that there will also be one MAC address with two IP addresses:

  • The spoofer may have a "legitimate" IP address in addition to the IP address it's trying to spoof. In this case, there's one MAC with two IP addresses. This isn't relevant to the collision itself, but it's a likely consequence of casual spoofing. (Alternately, the spoofer could choose not to configure an IP address through normal methods.)
  • The spoofer might be spoofing more than one IP address. In this case, it's one MAC address responding to requests for several IP addresses.
  • If the spoofer is lucky, the legitimate owner of the spoofed IP address will be down, in which case there will be no ARP collision at all. In this case, there might well be one MAC address and one IP address.

Finally, a side note: multiple IP addresses can be legitimately mapped to the same MAC address. In fact, this is standard practice in IPv6, where a server may have both an auto-generated IP address and an administrator-assigned one, both mapping to the same MAC address. Even in IPv4, this can be useful: in a small network without DNS, you could have an existing server "A" take over for another server "B" by shutting down B and giving its IP address to A as a secondary address. This may be preferable to reconfiguring a large number of clients to point to server A's primary address.

  • 981
  • 8
  • 12

In ARP spoofing, is it two MACs mapping to one IP address OR two IPs mapping to one MAC address?

Neither. Yup, let that sink in for a second. ARP spoofing may be involved in both the situations you are describing, however the situations you are describing may not include ARP spoofing.

So what is ARP spoofing? ARP spoofing is simply the name for when a network device/interface "spoofs" or imitates ARP messages for an IP address that the device is not actually using.

two MACs mapping to one IP address

This may simply be a misconfiguration. Both devices could have the same IP address configured and as such no ARP spoofing is taking place. This would simply be an IP conflict, which does create issues but can't be called ARP spoofing.

However, many ARP attacks using spoofing will produce IP conflicts as the spoofing device will often spoof the IP addresses of other actual devices.

two IPs mapping to one MAC address

This is common in many networks as a single interface can have multiple IP addresses. With IPv6 in use, a device should have multiple addresses (at least a global and a link local). Dual stack devices should have both an IPv4 address and multiple IPv6 addresses.

On top of that, there are many reasons/devices where more than one IP address are assigned to a single interface. Just as one example among many, load balancers are typically configured to provide services for a number of different IP addresses on a single interface. There are many more examples, but in all these cases, no ARP spoofing it taking place as the devices are using each IP address.

Yet again, a device performing some types of ARP attacks will often be spoofing the ARP messages for multiple IP addresses.

So why not just say that ARP spoofing is when ARP is used in a negative way, such as some types of ARP attacks?

Throwing this in for completeness, even though you didn't ask. The most common context where ARP spoofing is discussed is associated with different types of attacks on networks.

However, this doesn't mean that ARP spoofing is always a negative. An example of a legitimate use of ARP spoofing would be "proxy ARP." One way this can be used is in configurations where direct client-to-client communications is prohibited and must pass through some "central" device where things like security rules may be enforced.

  • 3,967
  • 1
  • 17
  • 34