ARP Spoofing Basics

Having just installed Glasswire, I’m a bit confused by the ARP spoofing report and wondering if I should be concerned. I assume the alert refers to the Windows ARP cache. Not sure how often this gets flushed, but I assumed it would happen fairly often. The spoof alert showed the MAC address on the gateway LAN address on my current router (which I’ve had for just over a year) changing from what could have been the MAC address of the router I switched from many moons ago. Both used the same gateway LAN address and my computer would have been connected to the old router at one point. And, of course, this gateway LAN address is still the same and probably been in the routing tables forever. The question is why would this be hanging around. How often is the Windows ARP cache flushed and should I manually flush it at some regular interval and is this anything to be concerned with.

Sorry for the issue. If you search your router type and something like “mac address changes” do you see any results? Perhaps a search like that could explain the issue, and perhaps it has some feature that is changing your Mac address for some reason that you can disable.

Or maybe it’s a guest network you are joining? Do you only have a single access point, or multiple?

Thanks, Ken. That turned out to be a rookie mistake I’d rather not discuss. It was that bad. However, Glasswire did help me locate and fix this problem that has been plaguing my network for months. There are other ARP spoofing alerts though that I’m not able to understand yet. It seems many of my wireless devices are swapping IP assignments and I’m not sure why. There are very few devices on the network that are assigned static IP addresses, but DHCP tends to assign the same IP address to a device that it was assigned in the previous request. I thought this might possibly be a case of MAC randomization, which has been used in mobile and some other wifi devices to discourage device tracking. But I would expect the new MAC address to belong to the same manufacturer in that case and that is not happening on my system. So there are TVs and a bunch of other smart devices that seem to be showing up in these alerts and no explanation of what’s happening.

Any thoughts or concerns?


I have seen others have this issue if they accidentally put a router behind a second router. Sometimes devices will share the same IP address (causing network issues) and the ARP detection will report this, because the behavior is similar to an ARP Spoof.

If you have some devices sharing the same IP due to network configuration problems then it’s probably not a security issue.

That was the rookie mistake. In doing comparison testing of routers to make sure everything was working, including vpns, before switching I accidentally left the old router out of sight but still connected. Everything still sorta worked with occasional disconnects, but nothing obvious or reported. The routers were essentially on the same switch.

The additional ARP spoofing alerts came after cleaning up that mess. I should give the system a few days though to catch up until all DHCP leases expire and IP addresses renew before worrying about any ARP alerts.

Thanks. Using version 2.3.343.