XArp – Advanced ARP Spoofing Detection

XArp performs advanced ARP spoofing detection mechanisms – made to secure your network.

Are you Ready to Take Back Control of YOUR Network?

XArp is a security application that uses advanced techniques to detect ARP based attacks. Using active and passive modules XArp detects hackers inside your network. ARP attacks allow an attacker to silently eavesdrop or manipulate all your data that is sent over the network. This include documents, emails, or VoiceIP conversations. ARP spoofing attacks go undetected by firewalls and operating system security: Firewalls do not protect you against ARP based attack.


Feature Comparison


  • Pre-defined security levels
  • Network monitoring
  • ARP spoofing detection
  • Passive monitoring and active validation


$29per system
  • Pre-defined security levels
  • Network monitoring
  • ARP spoofing detection
  • Passive monitoring and active validation
  • Fine-grained detection configuration
  • Network interface individual detection
  • Protection (Linux)
  • Email alerting
  • Support from XArp developers

What others are saying

XArp will be an impenetrable wall that will keep ARP attackers at bay!
Reviewer, 3d2f.com
XArp 2 is ideal in terms of the number of detected abnormal ARP packets.
Authors, Book Network Attacks and Defenses: A Hands-on Approach
Get yourself a copy of XArp today before you and your machine become the next victims in cyber crime.
Reviewer, FiberDownload.com



XArp is free! Download it for Windows and Ubuntu Linux. To unlock the full potential of XArp buy the Pro version.


Download XArp for Windows operating systems. Note, that the WinPcap installer is included in the installation package. It will automatically be installed with XArp. The installer works for 32bit and 64bit systems.

Windows all versions

Ubuntu Linux

Download XArp for Ubuntu operating systems. Pick the correct 32 or 64 bit version for your operating system. You will need additional software packages, see the installation notes.

Ubuntu 32 bit
Ubuntu 64 bit

Unlock the full power with XArp Pro!
Get XArp Pro now for only 29 $

Get XArp Pro!


The automatic installer will guide you through the XArp installation. During this process WinPcap will be installed. There is not much that you need to do, just follow the instructions.
First, install the required dependencies:

sudo apt-get install libwxgtk2.8-0 libxerces-c3.1 libpcap0.8 libc6 menu arptables

Then, install XArp using the downloaded deb-package:

sudo dpkg -i xarp.deb

Run XArp from the start menu, or from the command line using:

sudo xarp

If you get a problem regarding


(e.g. when you are on Ubuntu 16) do the following to get the package:

echo "deb http://archive.ubuntu.com/ubuntu trusty main universe" | sudo tee /etc/apt/sources.list.d/trusty-copies.list
sudo apt update
sudo apt install libwxgtk2.8-0
sudo rm /etc/apt/sources.list.d/trusty-copies.list
sudo apt update

Then continue with the instructions above.

If you want XArp to start directly in the background as tray icon, you can use the


parameter. This works for both the Windows and Ubuntu version.


The security of your network is our #1 priority. XArp is developed by network security specialists with the highest standards.

The simple answer: XArp is a network security tool. It detects critical network attacks that are not covered by firewalls.
The real answer: XArp uses advanced techniques to detect ARP-attacks like ARP-spoofing. These are easily to launch attacks that have high impact and elude firewalls.

Because ARP-based attacks are a very underestimated attack. Using ARP-spoofing, an attacker can eavesdrop all your network traffic including emails and passwords, for example. All this goes totally undetected. XArp performans active and passive methods to detect such attacks.

ARP-attacks can only be performend on a local network. If you got a DSL-line with dialup for a single computer, you don’t need XArp. If your computer resides in a local network, you are in risk of ARP-attacks and need XArp. An example for local networks are company networks. When you got a computer at work, this is most likely a local network.

The best advice is to immediatly stop all you internet and network connections. Close any browser, email and other network clients. Contact your network administrator. He can analyze the log output from XArp and decide which actions are necessary.

Not much. ARP stands for Address Resolution Protocol and is the protocol that XArp monitors.

XArp uses two groups of techniques for detecting ARP-attacks. On the one hand XArp employs a set of filter modules that inspect every single ARP packet that comes in or goes out of your computer. The filters have different sensitivity and are grouped to make up security levels. The other technique are active network discoverers. These are used to quickly gather information about your network and support the filter modules. Further more network discoverers are used to actively validate the information gathered by filter modules.

Most firewalls operate from ISO/OSI-layer three upwards. The ARP protocol resides in ISO/OSI-layer two. As such, firewalls do not inspect any ARP packets. There is one firewall that performs a very basic level of ARP inspection: Agnitum Outpost Firewall Pro. The security employed in this firewall is very basic will not protect you against ARP-attacks. The IDS Snort also implements very rudimentary ARP-attack detection. The security provided is very basic and should not be counted on.

The security levels employed by XArp are made up of a collection of filter modules and network discoverers. When you are getting false alerts, you have two options: switching to a lower security level or fine-tuning the configuration. Switch to a lower security level is done in the normal user interface. Fine tuning is performed in the advanced user interface.

Over the years lots of different solution for detecting ARP-attacks have been proposed. None of them became a standard as they were not able to detect a broad range of attacks. Furthermore there are five main solutions that are proposed when you ask around. All of them do not solve the problem. Some not even roughly:

Static ARP tables: Impossible administrative overhead. Secure distribution of tables not possible. Depending on OS version static ARP-entries are being overwritten.

Switches: Absolutely no security. The Port-Security Feature on high-end switches can easily be tricked

VLANs: Can’t put every machine into a VLAN. VLANs have their own set of security problems.

Encryption: Can only encrypt from IP-layer upwards. Man-in-the-middle attacks on secured connections have been shown.

Firewalls: See FAQ entry above.

Read “An Introduction to ARP-spoofing” by Sean Whalen. It is very good and covery the basics to understand the problem.

Have a look at the Wikipedia article and the ARP RFC. This article from the University of Aberdeen does a good job, too, in explaining ARP.

Exact numbers are not available. Mainly because ARP-attacks go undetected. According to a study from KPMG about 80% of attacks on coorperate networks origin from inside the network. As ARP-attacks are easily executed and have high impact, one can guess that lots of these attacks are performed using ARP-attacks.

Because internal security is a highly underestimated threat! The Ernst & Young Global Information Security Survey shows that internal attacks are very common and much more dangerous than attacks from external. As sources for internal attacks they mention industrial spionage, outsourcing partners, employees and others. Further more, an external attacker that gets access to the local network can easily collect passwords and other sensitive information using ARP-attacks.

Yes, XArp can be used by an administrator to monitor a whole subnet. XArp will inspect every ARP packet and report attacks against remote machines. Some inspection modules can only work for the local machine (e.g. StaticPreserve), but most modules will not need any local information. They monitor each ARP packet and can thus detect ARP attacks against other machines. Be sure to deploy XArp on a machine that sees all network traffic from the whole subnet. XArp can only monitor and inspect packets that it can see.

XArp needs to be run with administrator rights. You are running XArp from an account that does not have administrator rights. This is due to the fact that Winpcap needs administrative rights. If you want to run XArp from accounts with no administrative rights do the following: Log in as Administrator and open a command shell. Type in the following command and hit enter:
> sc config npf start= auto

Please note that the space after the = is mandatory. This command will startup the Winpcap driver automatically with administrative rights when you system starts. You can now use XArp from an account with no administrative rights.

The online state of a host is directly dependent on the last time an ARP packet from this host was seen and the discoverer interval for the Unicast discoverer. To enable the online status, either set the security level in the Normal view to high, or set the interval for the Unicast discoverer in the Advanced view to something like 5 minutes (00:05:00). The lower the discoverer interval, the more precise the online state.

XArp Pro can send alerts by email. XArp uses plain authentication for email sending. If you have no email provider that supports plain authentication: One good way is to install a local email server.

E.g. use hMailServer – an open source and free mail server for Windows OS. After installation set up the mailserver:
– As “Domain” setting e.g. use “xarp-alerts.localhost”
– The new domain will appear on the left side. Select “Accounts” and set up a new email address, e.g. “alerts”. The email address will be “alerts@xarp-alerts.localhost”. Set up a password, you will use it for configuring XArp.
– Configure hMailServer to only allow connections from the local machine: Settings -> Advanced -> IP Ranges -> Internet, remove the checkboxes unter “Allow connections”.
– Configure hMailServer to allow PLAIN authentication: Settings -> Protocols -> SMTP -> RFC compliance, check “Allow plain text authentication”.

Then configure XArp:
– Configure XArp. As “Sender email address” use “alerts@xarp-alerts.localhost”. As “Receiver email address” use the address where alerts are to be send to. As “SMTP username” use “alerts”. As “SMTP password” use the password configured for the “alerts” account in hMailServer. As “SMTP server” use As “SMTP server port” use 25.
– Send a testing email address from XArp using the button “Send test email”
– Check the spam folder of the receiving email account (as the server has no valid MX record, the mail can end up in spam)
– If something does not work, see the log in hMailServer under Settings -> Logging -> Show logs. Be sure that logging is enabled for SMTP in the checkbox “Enabled” under Logging.

This can occur on newer Ubuntu versions. To install the dependency do the following:

echo "deb http://archive.ubuntu.com/ubuntu trusty main universe" | sudo tee /etc/apt/sources.list.d/trusty-copies.list
sudo apt update
sudo apt install libwxgtk2.8-0
sudo rm /etc/apt/sources.list.d/trusty-copies.list
sudo apt update

Then go back to the regular installation instructions (see above unter “Download”, “Installation”)

You can use SrvStart to run XArp as a Windows service. Download SrvStart and unpack it, e.g. into


Create a file


in the same folder


with the following contents:

startup="C:\Program Files\XArp\xarp.exe"

Open a command line with administrator rights in Windows and type

SC CREATE XArp displayname= XArp binpath= "C:\srvstart_run.v110\srvstart.exe XArp -c C:\srvstart_run.v110\XArpService.ini" start= auto
SC DESCRIPTION XArp "ARP Spoofing Detection."

Now you have created a service entry called XArp in Windows that you can start under the system Services area.

To delete the service open a command line with administrator rights in Windows and type:


The logfile for XArp will be written to


The settings file for XArp is also in this path. As you now do not have a GUI to configure XArp, run XArp normally through the start menu, configure, and – if you have a Pro version – register it. Then copy the settings file from your normal user account




Your question is not answered? Feel free to contact us!



We are happy to hear from you and will get back to you as soon as possible!
If your network is going crazy contact us for our individual consulting services.

Feel free to contact the XArp team by email: xarp [at] chrismc.de