Mitigating Spoof Attacks
Describing ARP spoofing

In normal ARP operation, a host sends a broadcast to determine the MAC address of a host with a particular IP address. The device at that IP address replies with its MAC address. The originating host caches the ARP response, using it to populate the destination Layer 2 header of packets sent to that IP address. By spoofing an ARP reply from a legitimate device, an attacking device appears to be the destination host sought by the senders. The ARP reply from the attacker causes the sender to store the attacking system MAC address of the in the ARP cache. All packets destined for those IP address will be forwarded through the attacker system.

Based on the Figure , this sequence of events shown in Figure outlines an ARP spoofing attack.