The simple answer: XArp is a network security tool. It detects critical network attacks that are not covered by firewalls.
The real answer: XArp uses advanced techniques to detect ARP-attacks like ARP-spoofing. These are easily to launch attacks that have high impact and elude firewalls.

Because ARP-based attacks are a very underestimated attack. Using ARP-spoofing, an attacker can eavesdrop all your network traffic including emails and passwords, for example. All this goes totally undetected. XArp performans active and passive methods to detect such attacks.

ARP-attacks can only be performend on a local network. If you got a DSL-line with dialup for a single computer, you don’t need XArp. If your computer resides in a local network, you are in risk of ARP-attacks and need XArp. An example for local networks are company networks. When you got a computer at work, this is most likely a local network.

The best advice is to immediatly stop all you internet and network connections. Close any browser, email and other network clients. Contact your network administrator. He can analyze the log output from XArp and decide which actions are necessary.

Not much. ARP stands for Address Resolution Protocol and is the protocol that XArp monitors.

XArp uses two groups of techniques for detecting ARP-attacks. On the one hand XArp employs a set of filter modules that inspect every single ARP packet that comes in or goes out of your computer. The filters have different sensitivity and are grouped to make up security levels. The other technique are active network discoverers. These are used to quickly gather information about your network and support the filter modules. Further more network discoverers are used to actively validate the information gathered by filter modules.

Most firewalls operate from ISO/OSI-layer three upwards. The ARP protocol resides in ISO/OSI-layer two. As such, firewalls do not inspect any ARP packets. There is one firewall that performs a very basic level of ARP inspection: Agnitum Outpost Firewall Pro. The security employed in this firewall is very basic will not protect you against ARP-attacks. The IDS Snort also implements very rudimentary ARP-attack detection. The security provided is very basic and should not be counted on.

The security levels employed by XArp are made up of a collection of filter modules and network discoverers. When you are getting false alerts, you have two options: switching to a lower security level or fine-tuning the configuration. Switch to a lower security level is done in the normal user interface. Fine tuning is performed in the advanced user interface.

Over the years lots of different solution for detecting ARP-attacks have been proposed. None of them became a standard as they were not able to detect a broad range of attacks. Furthermore there are five main solutions that are proposed when you ask around. All of them do not solve the problem. Some not even roughly:

Static ARP tables: Impossible administrative overhead. Secure distribution of tables not possible. Depending on OS version static ARP-entries are being overwritten.

Switches: Absolutely no security. The Port-Security Feature on high-end switches can easily be tricked

VLANs: Can’t put every machine into a VLAN. VLANs have their own set of security problems.

Encryption: Can only encrypt from IP-layer upwards. Man-in-the-middle attacks on secured connections have been shown.

Firewalls: See FAQ entry above.

Read “An Introduction to ARP-spoofing” by Sean Whalen. It is very good and covery the basics to understand the problem.

Have a look at the Wikipedia article and the ARP RFC. This article from the University of Aberdeen does a good job, too, in explaining ARP.

Exact numbers are not available. Mainly because ARP-attacks go undetected. According to a study from KPMG about 80% of attacks on coorperate networks origin from inside the network. As ARP-attacks are easily executed and have high impact, one can guess that lots of these attacks are performed using ARP-attacks.

Because internal security is a highly underestimated threat! The Ernst & Young Global Information Security Survey shows that internal attacks are very common and much more dangerous than attacks from external. As sources for internal attacks they mention industrial spionage, outsourcing partners, employees and others. Further more, an external attacker that gets access to the local network can easily collect passwords and other sensitive information using ARP-attacks.

Yes, XArp can be used by an administrator to monitor a whole subnet. XArp will inspect every ARP packet and report attacks against remote machines. Some inspection modules can only work for the local machine (e.g. StaticPreserve), but most modules will not need any local information. They monitor each ARP packet and can thus detect ARP attacks against other machines. Be sure to deploy XArp on a machine that sees all network traffic from the whole subnet. XArp can only monitor and inspect packets that it can see.

XArp needs to be run with administrator rights. You are running XArp from an account that does not have administrator rights. This is due to the fact that Winpcap needs administrative rights. If you want to run XArp from accounts with no administrative rights do the following: Log in as Administrator and open a command shell. Type in the following command and hit enter:
> sc config npf start= auto

Please note that the space after the = is mandatory. This command will startup the Winpcap driver automatically with administrative rights when you system starts. You can now use XArp from an account with no administrative rights.

The online state of a host is directly dependent on the last time an ARP packet from this host was seen and the discoverer interval for the Unicast discoverer. To enable the online status, either set the security level in the Normal view to high, or set the interval for the Unicast discoverer in the Advanced view to something like 5 minutes (00:05:00). The lower the discoverer interval, the more precise the online state.

XArp Pro can send alerts by email. XArp uses plain authentication for email sending. If you have no email provider that supports plain authentication: One good way is to install a local email server.

E.g. use hMailServer – an open source and free mail server for Windows OS. After installation set up the mailserver:
– As “Domain” setting e.g. use “xarp-alerts.localhost”
– The new domain will appear on the left side. Select “Accounts” and set up a new email address, e.g. “alerts”. The email address will be “alerts@xarp-alerts.localhost”. Set up a password, you will use it for configuring XArp.
– Configure hMailServer to only allow connections from the local machine: Settings -> Advanced -> IP Ranges -> Internet, remove the checkboxes unter “Allow connections”.
– Configure hMailServer to allow PLAIN authentication: Settings -> Protocols -> SMTP -> RFC compliance, check “Allow plain text authentication”.

Then configure XArp:
– Configure XArp. As “Sender email address” use “alerts@xarp-alerts.localhost”. As “Receiver email address” use the address where alerts are to be send to. As “SMTP username” use “alerts”. As “SMTP password” use the password configured for the “alerts” account in hMailServer. As “SMTP server” use 127.0.0.1. As “SMTP server port” use 25.
– Send a testing email address from XArp using the button “Send test email”
– Check the spam folder of the receiving email account (as the server has no valid MX record, the mail can end up in spam)
– If something does not work, see the log in hMailServer under Settings -> Logging -> Show logs. Be sure that logging is enabled for SMTP in the checkbox “Enabled” under Logging.

You can use SrvStart to run XArp as a Windows service. Download SrvStart and unpack it, e.g. into

C:\srvstart_run.v110\

Create a file

XArpService.ini

in the same folder

C:\srvstart_run.v110\

with the following contents:

[XArp]
startup="C:\Program Files\XArp\xarp.exe"
shutdown_method=winmessage

Open a command line with administrator rights in Windows and type

SC CREATE XArp displayname= XArp binpath= "C:\srvstart_run.v110\srvstart.exe XArp -c C:\srvstart_run.v110\XArpService.ini" start= auto
SC DESCRIPTION XArp "ARP Spoofing Detection."

Now you have created a service entry called XArp in Windows that you can start under the system Services area.

To delete the service open a command line with administrator rights in Windows and type:

SC DELETE XArp

The logfile for XArp will be written to

C:\Windows\System32\config\systemprofile\AppData\Roaming\xarp-SYSTEM\

The settings file for XArp is also in this path. As you now do not have a GUI to configure XArp, run XArp normally through the start menu, configure, and – if you have a Pro version – register it. Then copy the settings file from your normal user account

C:\Users\USERNAME\AppData\Roaming\xarp-USERNAME

to

C:\Windows\System32\config\systemprofile\AppData\Roaming\xarp-SYSTEM\