For network inventory, it is a common practice to use a management system and send a sweep of ARP requests to all IP addresses within the subnet. In such an approach, the target IP address will keep changing, but the sender IP address and sender MAC address will remain the same and be set to the management system address. For efficient communication, the default behavior of the end host is to learn the sender IP and MAC address from the ARP request and populate the local ARP cache. The ARP sweep, along with this behavior, can also be used by any malicious attacker to deplete the ARP cache of all end hosts within the LAN network by changing the sender's IP and MAC addresses.

ARP requests and replies are a part of the regular network operation. Here are some rules of thumb to make sure they are actually so:

• For ARP requests from a diverse set of sources:
  • If the sources are legitimate, it is a normal operation
  • If the sources are malicious, it could be an attack
• For ARP requests originating from a single source:
  • If the source is a management system, it is a normal operation
  • If the source is a router, it could be a network scan
  • If the source is not legitimate, it could be an attack

Wireshark statistics can be used to identify whether there is any ARP sweep. This can be viewed through Statistics | Protocol Hierarchy in Wireshark header field. As shown in the preceding example, the number of ARP packets can be viewed through this option, which will help us understand whether there is any sweep of ARP packets in the network.