Last week we had a problem with web browsing. Since I made static ARP entry on few machines I knew that it is the same symptom like someone doing ARP poisoning. I started wireshark which showed massive activity on destination port 137 from one internal IP adress (machine).

So for the weekend I made my computer vulnerable for ARP attack and set up XARP on it. Today when I was working, XARP started with continious alarm. I opened wireshark to locate IP address (it was the same as last week). Then I started NMAP to identify computer brand and OS. Firstly I was sure, someone started C&A. So I went to the office where this computer was in use. It wasn't C&A; computer from a young girl obviously has a lot of malware. I made netstat -an but didn't go checking IPs. Later I want to deliberately get ARP attack with this computer, but it didn't show up. Only massive knocking on 137/138. I will make fresh install of OS at that computer.

So this is it. Have you been in situation were someone used C&A and you detected it?