What is a key indicator of ARP spoofing?

ARP spoofing happens when forged ARP messages cause devices to associate the attacker’s MAC address with a legitimate IP. The clearest signal is seeing the same IP advertised by more than one MAC across the network—for example, an IP appearing with different MAC addresses in ARP caches or in observed traffic. That direct conflict shows the ARP table has been polluted, which is exactly what spoofing aims to do, often enabling traffic misdirection or interception. Other symptoms are less definitive. If ARP entries age out slowly, that’s a normal timing issue with ARP caches. If ARP requests never receive replies, that points to general connectivity or ARP handling problems rather than a spoofing event. MAC addresses changing randomly can indicate spoofing in some scenarios, but it’s not as explicit a signal of ARP-level poisoning as duplicates for the same IP with different MACs.