-----------------------------------------------------
                   WinARP Watch
       http://jota.sm.luth.se/~andver-8/winarp/

              Version 1.0, 2001-12-02
          Copyright (c) Andreas Vernersson
-----------------------------------------------------


1. Introduction

WinARP Watch is a program that monitors Windows ARP 
cache. The ARP cache contains IP/MAC translations so 
that every time an IP packet are to be sent, the MAC 
address doesn't have to queried through a broadcast, 
instead it can use the cached address.

The problem with this is that someone can send faked 
ARP responses, which gets stored in the cache too. 
Which is called ARP poisoning and that is no good 
for you.

So this program watches the cache and stores every 
new IP/MAC combination to it's own lists. If a 
combination is already known, the program compares 
it with the cache to see if has changed.

If it has changed an icon will start to blink in 
the sys-tray. Clicking that icon to bring up the 
program to see what has happened.

This program isn't useful/working for dial-up links
since PPP doesn't use ARP, and thus isn't 
wulnerable to ARP Poisoning.

It has been tested on Windows 2000, 
Windows NT 4.0 and Windows 98. Please report bugs!

2. What to do?

If a change occurs what should you do? Well I don't
have a definite answer. But do write down the 
original and modified MAC addresses, the IP and 
DNS addresses. Check if the IP/DNS is something you
use. Check if the IP/DNS is your default gateway.

Read more at:
http://www.sans.org/infosecFAQ/threats/spoofing.htm

3. Contact

If you have any questions regarding this program,
contact me at andver-8@student.luth.se.

4. Guarantees & Redistribution

This software is provided as is, with no guarantees
expressed or implied.

You're free to redistribute this software in 
complete and unmodified form.

