ARP Filters:
| Notes | Wireshark filter |
|---|---|
| Global search | - arp |
| "ARP" options for grabbing the low-hanging fruits: - Opcode 1: ARP requests. - Opcode 2: ARP responses. - Hunt: Arp scanning - Hunt: Possible ARP poisoning detection - Hunt: Possible ARP flooding from detection: |
- arp.opcode == 1- arp.opcode == 2- arp.dst.hw_mac==00:00:00:00:00:00- arp.duplicate-address-detected or arp.duplicate-address-frame- ((arp) && (arp.opcode == 1)) && (arp.src.hw_mac == target-mac-address) |