How to identify from a Windows computer the wireless device that is poisoning router?

networking windows wireless-networking router wireless-router

Can you (temporarily) enable MAC filtering on the Wifi?

With that, you should be able to whitelist one MAC at a time and see which one is the culprit.

For what it's worth, I would suspect someone is running BitTorrent or something similar.


Even when (some of the) other answers are more practical to find your problem, as long as the original question request something like "How to find and ARP poisoning running?", I am going to give an easy-to-apply in a few steps method to detect ARP Poisoning valid for any Windows version extracted from a generic (non-WiFi), faster and simpler method here.:

If you suspect about ARP Poisoning happening only for WiFi , the usual first method is to check if your ARP table changes the Physical Address value (at least the value of your router, for example: 192.168.0.1) after 1-2 minutes of switching to WiFi mode from cable network mode.

Try these steps:

1.- Switch to non-poisoning scenario: Turn Off WiFi in your router.
2.- Open Shell as Administrator:

cmd

3.- Check ARP Table:

c:\>arp -a
Interface: 192.168.11.108 --- 0x2
Internet Address IP Physical Address    Type
192.168.0.1         00-24-a5-0e-a8-42   dynamical
192.168.0.102       50-e5-49-c5-47-15   dynamical
192.168.0.107       00-17-31-3f-d3-a9   dynamical

4.- Switch to posible-poisoning scenario: Turn ON WiFi in your router.
5.- Clear ARP Cache (Administrator shell required): 

arp -d -a

6.- Wait 1-2 minutes (to make sure network traffic has started the poisoning).
7.- Check again ARP Table: 

c:\>arp -a
Interface: 192.168.11.108 --- 0x2
Internet Address IP Physical Address    Type
192.168.0.1         00-17-31-3f-d3-a9   dynamical
192.168.0.102       50-e5-49-c5-47-15   dynamical
192.168.0.107       00-17-31-3f-d3-a9   dynamical

Compare with the other one. If the physical address (AKA as MAC) of your router has changed, then you have some ARP Poisoning in the scene.
To know who is sending the poisoning search for duplicates in the rest of the ARP Table (in the above-shown example, 192.168.0.107 is the poisoner). Explanation: the ARP poisoner device tells to all the network (LAN) something like "I am the router now".


One way to fix the issue is to turn off each device sequentially until the problem is gone. As soon as your ping rate drops to an acceptable level, you've found your culprit.

You could also turn on MAC filtering and add each device one by one as an alternative to turning the devices off. This would essentially block them one by one. Again, as soon as the levels drop to normal, you've found the resource hog.

Related

how to `tail` the latest file in a directory
SSH with no password (passwordless) on Synology DSM 5 as other (non-root) user
Is it safe to use RAM with a damaged capacitor?
Best LaTeX Editor [closed]
What gets uploaded when I surf the web?
How could I save on ink when printing this map?
What is the relationship between CPU usage and RAM?
Confusion with storage capacity (powers of 10 and 2) [duplicate]
How many folders can I put in one Windows folder?
Why are optical disc drives slower than hard disk drives?
Task scheduler does not kill task
How to set up local ntp server without internet access on ubuntu?