How to identify from a Windows computer the wireless device that is poisoning router?

I live in a house with various other people who all swear that there is nothing wrong with any of their devices. The problem being is that when wireless is enabled on the router, ping sky-rockets and all-round internet performance drops off the face of the earth. As soon as I disable wireless and only allow my PC access to the internet, it runs perfectly again.

I'm assuming that there will be one device that's causing the issue but I have no way of identifying it as other users are fairly uncooperative. Here's a picture below showing what's happening with the ping with wireless on, then off, then back on again.

Top - WiFi on, Middle - WiFi off, Bottom - WiFi on.

Is there any easy way to identify the issue in a situation like this?

Thanks.

Declan Greally

Posted 2014-04-07T20:11:44.300

Reputation: 341

We need some more info: ipconfig output (for both your ethernet and wireless card) would be useful, or at least your gateway config (AKA as the local LAN IP of the router). You can simply cut&paste it, no need for images. – Sopalajo de Arrierez – 2014-04-07T20:15:27.533

It could be useful, when investigating ARP Poisoning, to know the output of arp -a, at least for the value of your default gateway (probably your router). – Sopalajo de Arrierez – 2014-04-07T20:16:56.330

Some pings to the LAN (in your local network) devices could give some useful info, too. – Sopalajo de Arrierez – 2014-04-07T20:18:41.940

From your question we understand that your computer is (too) connected to your router via cable (RJ45 jack), and when you switch to WiFi, you unplug that cable. Is that correct? – Sopalajo de Arrierez – 2014-04-07T20:20:17.263

I disable wireless access on the router so that it only allows connections via ethernet, if that's what you're meaning. Also, iOS from the looks of things doesn't allow you to ping their devices. Here's my arp -a, http://i.imgur.com/G5YoQZt.png and here's my ipconfig - http://i.imgur.com/36a80Ml.png

– Declan Greally – 2014-04-07T20:25:34.040

3Well... 6 devices at least on your LAN. If what you suspect is ARP Poisoning for WiFi, check if ARP table changes the Physical Address value (at least the value of your router: 192.168.0.1) after 1-2 minutes of switching to WiFi mode. – Sopalajo de Arrierez – 2014-04-07T20:31:29.040

Doesn't seem like it's that then, enabled wireless, cleared the ARP cache and the Physical Address stayed the same. – Declan Greally – 2014-04-07T20:35:43.150

ARP Poisoning require changes to ARP cache. If you can not see them, your problem comes, probably, from another were. Keep the advices from @BowlesCR down here to, at least, isolate the device slowing down traffic. Once isolated, you can obtain more data by using WireShark, but that job is a harder. – Sopalajo de Arrierez – 2014-04-07T20:40:50.000

What router are you using (make/model)? It could quite easily be a problem with your device. First, check the firmware to see if there are any upgrades available. If there aren't or it doesn't help, try a different router (different make/model if possible); you may be able to borrow one from a friend or neighbor. Consumer devices are notorious for odd failures like what you describe. – YLearn – 2014-04-08T00:55:09.913

1From the question it seems your internet performance is degrading. Unless your internal network performance is bad too (ping the router, access its admin console), you should consider the simplest of the problems: someone is doing a big-ass download or is using torrent. – NothingsImpossible – 2014-04-08T12:21:08.937

Internal ping was suffering as well. I'm also using the standard Sky Sagem F@ST 2504 IIRC. – Declan Greally – 2014-04-08T12:29:14.877

I had a similar situation. MAC filtering was turned on; we had added a number of devices over time (laptops, e-readers, a Wii, portable music players). At one point we added a new laptop and iPod Touch, and at the same time I tried to enable access controls. Performance slowed to a crawl. In the end I had to turn off both access controls and MAC filtering in order to get performance back to something acceptable. It seems the number of devices -- the load on the router/WAP -- had reached a tipping point. – David – 2014-04-08T12:50:46.860

2This question doesn't seem to mention ARP poisoning at all. Poisoning could be used completely colloquially here. Not sure why people are so quick to assume you think it's an ARP thing. – Cruncher – 2014-04-08T20:34:54.643

Answers

Can you (temporarily) enable MAC filtering on the Wifi?

With that, you should be able to whitelist one MAC at a time and see which one is the culprit.

For what it's worth, I would suspect someone is running BitTorrent or something similar.

BowlesCR

Posted 2014-04-07T20:11:44.300

Reputation: 2 607

Thanks for the suggestion, currently watching the wireless to see devices as they connect and pinging upon a change. It almost seems to happen without any reason. – Declan Greally – 2014-04-07T20:30:58.190

@DeclanGreally Have you considered that your router is underpowered? What make/model is it? What firmware is it running? – moswald – 2014-04-08T23:35:05.117

1It's probably not going to happen immediately after a device is enabled, but rather after several minutes or an hour or so, when whatever bogus software starts up. – Daniel R Hicks – 2014-04-09T11:17:45.543

1+1 for suspecting one or more people using BitTorrent. Chances are if they are not that tech-savvy they have no limit on connections and that would definitely add some major load to the router. – Smalltown2k – 2014-04-09T14:29:13.537

Even when (some of the) other answers are more practical to find your problem, as long as the original question request something like "How to find and ARP poisoning running?", I am going to give an easy-to-apply in a few steps method to detect ARP Poisoning valid for any Windows version extracted from a generic (non-WiFi), faster and simpler method here.:

If you suspect about ARP Poisoning happening only for WiFi , the usual first method is to check if your ARP table changes the Physical Address value (at least the value of your router, for example: 192.168.0.1) after 1-2 minutes of switching to WiFi mode from cable network mode.

Try these steps:

1.- Switch to non-poisoning scenario: Turn Off WiFi in your router.
2.- Open Shell as Administrator:

cmd

3.- Check ARP Table:

c:\>arp -a
Interface: 192.168.11.108 --- 0x2
Internet Address IP Physical Address    Type
192.168.0.1         00-24-a5-0e-a8-42   dynamical
192.168.0.102       50-e5-49-c5-47-15   dynamical
192.168.0.107       00-17-31-3f-d3-a9   dynamical

4.- Switch to posible-poisoning scenario: Turn ON WiFi in your router.
5.- Clear ARP Cache (Administrator shell required):

arp -d -a

6.- Wait 1-2 minutes (to make sure network traffic has started the poisoning).
7.- Check again ARP Table:

c:\>arp -a
Interface: 192.168.11.108 --- 0x2
Internet Address IP Physical Address    Type
192.168.0.1         00-17-31-3f-d3-a9   dynamical
192.168.0.102       50-e5-49-c5-47-15   dynamical
192.168.0.107       00-17-31-3f-d3-a9   dynamical

Compare with the other one. If the physical address (AKA as MAC) of your router has changed, then you have some ARP Poisoning in the scene.
To know who is sending the poisoning search for duplicates in the rest of the ARP Table (in the above-shown example, 192.168.0.107 is the poisoner). Explanation: the ARP poisoner device tells to all the network (LAN) something like "I am the router now".

Sopalajo de Arrierez

Posted 2014-04-07T20:11:44.300

Reputation: 5 328

How did you know 107 was the poisoner? From the screenshot above, everything is the same except for the router MAC addr. Thx in advance for explaining to me. – Classified – 2014-04-08T06:47:00.537

3It looks like the router MAC address in the final table is the same as 107. – sWW – 2014-04-08T08:12:23.157

@Classified, sWW is right: on the ARP check during WiFi ON, the router has the same MAC Address (Physical Address) as the 192.168.0.107 IP, and that is completely impossible, so an ARP poisoning is making all the computer in the LAN to send their internet traffic to 192.168.0.107, instead to the genuine 192.168.0.1. The process is a bit longer to explain, but you can say that the poisoner is at IP 192.168.0.107. – Sopalajo de Arrierez – 2014-04-08T19:30:16.960

@SopalajodeArrierez and sWW, thanks for the explanation. I'm so blind I dind't see the MAC addr being the same for both. – Classified – 2014-04-08T19:45:46.053

One way to fix the issue is to turn off each device sequentially until the problem is gone. As soon as your ping rate drops to an acceptable level, you've found your culprit.

You could also turn on MAC filtering and add each device one by one as an alternative to turning the devices off. This would essentially block them one by one. Again, as soon as the levels drop to normal, you've found the resource hog.

Moses

Posted 2014-04-07T20:11:44.300

Reputation: 10 813

Thanks for the suggestion, currently watching the wireless to see devices as they connect and pinging upon a change. – Declan Greally – 2014-04-07T20:29:34.337

Silly question, but have you ruled out interference? Are there any 2.4 Ghz devices in the area like a cordless phone or microwave?

The problem happens when wireless is on so it could be something causing radio interference. You could move the router to another outlet or another room, for example. One thing that's worked for me in the past is change channels on the router.

You could also upgrade the firmware on the router (if that's possible) to DD-WRT and see if you see any changes. You can also boost the signal strength that way.

I know this isn't as cool as arp poisoning, but it's worth looking into.

Tensigh

Posted 2014-04-07T20:11:44.300

Reputation: 327

Agreed, @Tensigh. I suggest NirSoft WirelesNetView http://www.nirsoft.net/utils/wireless_network_view.html for channels lookup in Windows, or InSSIDer in Android http://www.metageek.net/products/inssider/

– Sopalajo de Arrierez – 2014-04-08T11:03:14.763

I'm connected through a wired connection at all times. It's when I enable the wireless signal on the router that I notice performance degrading across the entire network. – Declan Greally – 2014-04-08T12:30:09.797

@DeclanGreally, I see. But if your roommates are connecting wirelessly then one of those devices could have cause the interference. Even though they don't actually connect to the WLAN their iPhones could be scanning for WLANs and trying to connect. Seems odd that it would cause this big of a spike but the wireless router will share bandwidth with other devices included wired connections. – Tensigh – 2014-04-09T06:58:38.897

You could check what channels are used by yourself and your neighbors. Personally I use WiFi Analyzer on Android for this.

A WiFi channel has a bandwidth of +/-3 channels. A router configured to use channel 6 will actually affect and disturb channels 3 to 9. In practice this means that only channel 1, 6 and 11 are usable in a crowded area if you don't want to disturb each other. If the routers are configured to use the same channel there will be no disturbances since the WiFi protocol will resolve this and allow the routers to share the available bandwidth without any clashes and retransmissions.

So, if you use channel 6 and your neighbor uses channel 3,4,5,7,8 or 9 you have problems. Your neighbor will disturb your router. Since they use different channels they can not understand each other an thus can not resolve the sharing. The disturbances will result in massive retransmissions which in turn will disturb your neighbors router which in turn will retransmit.... you get the picture? It would be much better if your neighbor switched to channel 6.

Why are there channels 2,3,4,5,7,8,9,10 available if you re not supposed to use them? I don't know really but it may be a historical reason because the overcrowd of todays WiFi was not anticipated and the range of channels were there to available fine tune frequencies to avoid disturbances from microwave ovens and the like.

Peter Ulfheden

Posted 2014-04-07T20:11:44.300

Reputation: 11

Like BowlesCR, I suspect you have a user who is either a bandwidth hog or has a virus infection of some kind on his device.

No easy way to diagnose unless you have a router with monitoring capabilities other than selectively blacklist/whitelist.

Juanefe

Posted 2014-04-07T20:11:44.300

Reputation: 1

The problem is probably down to someone on your network uploading too much traffic as there's much less available capacity upstream (which, as mentioned, is likely to be some BitTorrent client that's been set to run minimized on startup like uTorrent etc). It's possible that it is due something being downloaded but this would probably be more obvious like people watching streamed video.

Another approach is to use something like ettercap which you can use to do controlled poison ARP on your network. This would allow you to sniff on the traffic (using Unified sniffing etc) and find out who is sending too much data. There's reasonable tutorial here. Also if you're having problems with user compliance then Ettercap allows you to selectively disable a machine's connection by poisoning their ARP table so their traffic would not get to the router.

Pierz

Posted 2014-04-07T20:11:44.300

Reputation: 880

Do you have any security settings on your router? IP filtering etc? If possible, try turning them off for a while and ping again. This can sometimes cause poor performance in routers and cause high pings.

Rexxo

Posted 2014-04-07T20:11:44.300

Reputation: 1

-1

the new iphone5 for example crashes old wlan networks when active. try disabling 5Ghz in your router and only use 2Ghz.

user314024

Posted 2014-04-07T20:11:44.300

Reputation: 1

6do you have any creditable sources to prove this claim? – Sickest – 2014-04-08T19:48:14.900