Wireshark Filters

ARP analysis:

Works on the local network
Enables the communication between MAC addresses
Not a secure protocol
Not a routable protocol
It doesn't have an authentication function
Common patterns are request & response, announcement and gratuitous packets.
Before investigating the traffic, let's review some legitimate and suspicious ARP packets. The legitimate requests are similar to the shown picture: a broadcast request that asks if any of the available hosts use an IP address and a reply from the host that uses the particular IP address.

Global search: arp
Opcode 1: ARP requests: arp.opcode == 1
Opcode 2: ARP responses: arp.opcode == 2
Hunt:Arp scanning: arp.dst.hw_mac==00:00:00:00:00:00
Hunt:Possible ARP poisoning detection: arp.duplicate-address-detected or arp.duplicate-address-frame
Hunt:Possible ARP flooding from detection: ((arp) && (arp.opcode == 1)) && (arp.src.hw_mac == target-mac-address)

Possible IP address match > 1 IP address announced from a MAC address

MAC: 00:0c:29:e2:18:b4 IP: 192.168.1.25

Possible ARP spoofing attempt.

2 MAC addresses claimed the same IP address (192.168.1.1). The " 192.168.1.1" IP address is a possible gateway address.

MAC1: 50:78:b3:f3:cd:f4 MAC2: 00:0c:29:e2:18:b4

Possible ARP spoofing attempt. The MAC address that ends with "b4" claims to have a different/new IP address.

MAC: 00:0c:29:e2:18:b4 IP: 192.168.1.1

Possible ARP flooding attempt. The MAC address that ends with "b4" crafted multiple ARP requests against a range of IP addresses.

MAC: 00:0c:29:e2:18:b4 IP: 192.168.1.xxx

There is HTTP traffic, and everything looks normal at the IP level, so there is no linked information with our previous findings. Let's add the MAC addresses as columns in the packet list pane to reveal the communication behind the IP addresses.
One more anomaly! The MAC address that ends with "b4" is the destination of all HTTP packets! It is evident that there is a MITM attack, and the attacker is the host with the MAC address that ends with "b4". All traffic linked to "192.168.1.12" IP addresses is forwarded to the malicious host. Let's summarise the findings before concluding the investigation.

http
- 192.168.1.12 mac 00:0c:29:98:c7:a8
- 44.228.249.3 mac 00:0c:29:e2:18:b4
- 44.228.249.3 mac 50:78:b3:f3:cd:f4
- 192.168.1.12 mac 00:0c:29:e2:18:b4
IP to MAC matches
- MAC: 00:0c:29:e2:18:b4 = IP: 192.168.1.25
- MAC: 50:78:b3:f3:cd:f4 = IP: 192.1681.1
- MAC: 00:0c:29:98:c7:a8 = IP: 192.168.1.12
Attacker:The attacker created noise with ARP packets
- MAC: 00:0c:29:e2:18:b4 = IP: 192.168.1.25
Router/gateway Gateway address
- MAC: 50:78:b3:f3:cd:f4 = IP: 192.1681.1
Victim: The attacker sniffed all traffic of the victim
- MAC: 50:78:b3:f3:cd:f4 = IP: 192.1681.12