(This answer is an adaptation of this one to make it non-WiFi dependant, simpler, faster, and more appropriate to this other question)
Indeed, there is a simple method that is supposed to work in all cases.
Under ARP Poisoning cases, there should necessarily be a duplicate MAC Address (AKA Physical Address) on your local network (AKA subnetwork or LAN), so the trick to detect it is simple: just list the ARP Table (this is: all the MACs that your computer knows) and check for duplicates.
The usual duplicate uses to be the gateway (router, that connects you to internet).
Method:
1.- Open Shell as Administrator:
cmd
2.- Clear ARP cache (for possible remaining disconnected devices on your network) and wait a few seconds (30 seconds should enough):
arp -d -a
3.- List ARP Table by executing (the output is just an example case of poisoning):
c:\>arp -a
Interface: 192.168.11.108 --- 0x2
Internet Address IP Physical Address Type
192.168.0.1 00-17-31-3f-d3-a9 dynamical
192.168.0.102 50-e5-49-c5-47-15 dynamical
192.168.0.107 00-17-31-3f-d3-a9 dynamical
192.168.0.108 00-0a-e4-a0-7f-78 dynamical
4.- Look for duplicates in the ARP table. In my example, the router 192.168.0.1
and the device at 192.168.0.107
share the same MAC, so the chances are very high that the computer 192.168.0.107
is the poisoner.
NOTE: the cmd
shell as administrator is only needed for step 2 (Clear ARP cache). The rest of the process can be done from normal unprivileged shell.
- There could be more than one device poisoning on my LAN? Well... it is not usual, and lacks some sense: the poisoning process could (not allways) slowdown (maybe not much) or even crash the entire network, and poisoning the router uses to send a lot of traffic to the poisoner (could ever hang the poisoner device). But it could happen. Anyway, you still can detect it using this method. Just search for more duplicates.
- Could any other device but the router be the poisoned one? Yes. Sometimes the interesting part is to intercept data sent to a network printer, a NAS, files sent between computers... etc.
- The poisoner is not a router. Why, if the data are sent to the poisoner instead of to the router, I still have internet running? Because the poisoner resends the traffic to the router, in an attempt that you won't notice anything. This is a part of what is usually called "Man in the Middle (MITM)" attack.