In an ARP spoofing attack, the attacker tries to map the MAC address with the IP address of a victim. The attacker can then intercept, steal, or delete the data. An ARP spoofing attack targets the nodes, layer 2 switches, and routers by disturbing the ARP caches of the connected systems:

Hosts A, B, and C are connected to the switch. Host A broadcasts a request (ARP) asking for the MAC address of host B, after host A sends data to host B. The switch receives the broadcast and forwards the request, and when host B receives the ARP request, it fills the ARP cache with the ARP entry and the IP address of host A (10.1.1.1 ) and the MAC address of A (aaaa.aaaa.aaaa.aaaa). When host B replies, host A fills their ARP cache with the IP address of host B (10.1.1.2) and the MAC address of B (bbbb.bbbb.bbbb.bbbb). At the same time, host C tries to poison the ARP cache of hosts A and B by sending some fake ARP messages with the IP address of B and the MAC address of host C (cccc.cccc.cccc.cccc).

Now the ARP cache is poisoned and it uses the destination MAC address of host C (cccc.cccc.cccc.cccc) for the traffic intended for host B. The attacker on host C interrupts the traffic flow between host A and host B, as host C knows the MAC addresses of host A and host B.