ARP poisoning

ARP poisoning is manipulating a computer's ARP cache in such a way that traffic from that host is redirected to another host.

Common Exchange
A common exchange goes like this:

computer1 broadcasts who has 1.2.3.4 tell my MAC address computer2 with 1.2.3.4 IP answers and tells computer1's MAC address the MAC address of it.

If now computer3 which is malicous also answers to that ARP request the computer may recognize this as an IP conflict, but doesn't have to.

A practice run
Here is a program that writes arp answers to a host, it will write it twice with a different MAC address every time.

--> interface_gateway: looking up gateway mac for 192.168.34.1 --> interface_gateway: resolved to mac address 0.90.b.19.56.6 --> arp reply to 00:90:0b:19:56:06 (192.168.34.1) "192.168.34.99 is-at 00:11:22:33:44:55" 1 packet written at 60 bytes totalling 60 bytes --> interface_gateway: looking up gateway mac for 192.168.34.1 --> interface_gateway: resolved to mac address 0.90.b.19.56.6 --> arp reply to 00:90:0b:19:56:06 (192.168.34.1) "192.168.34.99 is-at 00:11:22:33:44:56" 1 packet written at 60 bytes totalling 60 bytes
 * 1)  ./cb -a is-at -s00:11:22:33:44:55,192.168.34.99   -d192.168.34.1  -v -l re0
 * 1)  ./cb -a is-at -s00:11:22:33:44:56,192.168.34.99   -d192.168.34.1  -v -l re0

Notice the MAC address of 00:11:22:33:44:55 is changed to 00:11:22:33:44:56.

At the destination computer (with IP 192.168.34.1) we can inspect the arp cache with the arp -na command:

first arp reply: ? (192.168.34.99) at 00:11:22:33:44:55 on em2 second arp reply: ? (192.168.34.99) at 00:11:22:33:44:56 on em2

The 192.168.34.99 is now said to be ARP poisoned and all traffic would go to the MAC address 00:11:22:33:44:56 instead of 00:11:22:33:44:55. Some operating systems warn of this like here on OpenBSD:

arp info overwritten for 192.168.34.99 by 00:11:22:33:44:56 on em2

I hope that helps understanding this. (BTW the cb program is not publically available and only a select number of people have it).

Mitigating ARP poisons
If you're sure what the MAC address is of your gateway and it won't change perhaps set it as a permanent ARP (yes on most OS's you can do that).

Secure the switch or wifi.

False Positives
There is legitimate "gratuous ARP" messages that cause these ARP info overwritten messages. Protocols associated with CARP or high available linux firewalls may cause messages like that. Know your network, and don't be afraid to ask around before getting worried.