I carried out an arp poisoning attack from my virtual machine to real machine with cain and able and collected data with wireshark from real machine. While I was investigating data with wireshark I came across a data flow as picture.
What does it mean? I was expecting only an ARP storm. Can I use information in this picture to detect an ARP poisioning attack? Or cain and able using a different trick?
In short, that scan doesn't show you any layer 2 information. You're interested in what MAC address the computer associates with a given IP address.
ARP poisoning affects network layer 2, or the ethernet layer. While the computer still sends the message to the same IP (layer 3) address, the packet ends up at a different layer 2 address which is purporting to own that IP. It purports to own that IP address by poisoning ARP in an attempt to associate that IP with a different MAC address.
Once that computer has, for example, taken over the IP of the DNS server it can serve invalid DNS records or any other devious service it wishes to run.
