Who's On My Wifi

Contact Information

• Home
  • Download
  • Purchase
  • Screen Shots

• Download
  • Update

• Purchase
  • Version Compare

• More Info
  • How It Works
  • Screen Shots
  • Additional Info
  • Blog

• Support
  • Installation
  • Update
  • FAQ
  • Support Forum

• Contact Us

Who Is On My Wifi detects intruders on your wireless network.
Download Now

Ultimate Edition for Corporate Networks only $199.95.
Purchase Now

Strengths and Weaknesses of using ARP packets for Intrusion Detection

Strengths

Detectability The greatest strength to using ARP requests to determine if an unknown computer is on the network is that there is no way for a computer to be on the network and go undetected.

Because all computers rely on the Address Resolution Protocol to be able to communicate with each other, for a computer to actually be on the network, they have to make their MAC Address known to the world. So they have to be detectable.

Single Software Easy to use from a single machine/single software program. Other solutions such as checking all Switch logs force all switches on the network to be SNMP compatible and that the switches have consistent MIB databases meaning all switches would probably have to be from the same vendor.

Small Offices are also protected Easy to use at Home Office or Remote Branch locations where SNMP compatible switches may or may not be in use.

Weaknesses

Routeability Because ARP Requests are not routeable, one of the bigger problems is that if someone is trying to defend a large network which could have multiple Subnets connected through VPNs, they would need to run their Detection software on each LAN segment.

Because of Who Is On My Wifi's low price, large networks can easily purchase single copies for each LAN segment.

ARP caching By default, ARP results are meant to be cached in the local machines ARP table. So unless the software vendor forces the ARP table to clear it's cache before scanning, the results could be inaccurate.

Who Is On My Wifi clears the arp cache before each scan to create accurate, reliable results.

MAC spoofing Personal computers have the ability to change their own computers MAC Address. For an intrusion detection system to work accurately, the software would need to be able to detect that a new computer that has joined the network hasn't simply given itself the same MAC Address as another computer that is already on the network.

This is why Who Is On My Wifi allows additional fingerprinting methods to be combined with the MAC Address to be used to create a Digital Signature of the remote computer. This Digital Signature is what is compared when testing for intrusions, not just the MAC Address.

Return to Using ARP packets for Intrusion Detection.