Networks typically contain regular patterns of traffic between well-established clients and servers
traffic maps reveal these typical data flows
When used as a baseline, these maps can help quickly expose client endpoints establishing sessions with one another, Internet hosts, or irregular communication patterns
Traffic may show:
high bandwidth consumption
unusual protocol use
or occur at odd times of the day
ARP Spoofing/Poisoning
irregular peer-to-peer communication may indicate various kinds of man-in-the-middle attacks (on-path)
arp spoofing and arp poisoning redirects an IP address to a MAC address not associated with its proper destination
attackers execute this by continuously sending cache update requests to victim with erroneous address information
ARP always overwrites its records with the latest request
IDS can effectively identify suspicious traffic because ARP poisoning generates much more ARP traffic than normal
use arp -a to manually inspect local machine’s ARP cache