ARP spoofing

Before the tool can intercept DNS queries, it needs to be in the path of your Roku’s network traffic. It achieves this through a technique called ARP spoofing — no router access required.

What is ARP?

ARP stands for Address Resolution Protocol. Every device on a local network uses ARP to figure out where to send packets.

When your Roku wants to send traffic to your router, it doesn’t know the router’s hardware address (MAC address) directly — it only knows the router’s IP address. ARP is how it finds the MAC address that corresponds to that IP. Your Roku broadcasts an ARP request to the network asking “who has IP 192.168.1.1?”, and the router replies with its MAC address. Your Roku then stores this mapping in its ARP cache so it knows where to send future packets.

The ARP cache is a short-lived table on every networked device that maps IP addresses to MAC addresses. Devices trust ARP replies without verifying them, which is what makes ARP spoofing possible.

What ARP spoofing does

ARP spoofing exploits the fact that ARP has no authentication. Any device on the network can send an ARP reply claiming to be any IP address.

The tool sends a fake ARP reply to your Roku, claiming that your machine’s MAC address belongs to the router’s IP address. Your Roku updates its ARP cache with this false mapping. From that point on, any traffic your Roku intends to send to the router is actually sent to your machine instead.

This positions your machine as a man-in-the-middle: it sits between the Roku and the router, able to inspect and modify traffic in either direction.

Why this doesn’t require router access

Router-level DNS configuration requires administrative access to the router’s settings page — something you may not have on a shared or managed network. ARP spoofing works entirely at the local network layer, between devices on the same subnet. It requires no credentials, no router login, and no changes to any router configuration.

Your machine and your Roku only need to be on the same local network.

How the ARP spoofing process works

1

Send a fake ARP reply to the Roku

The tool crafts an ARP reply packet that tells your Roku: “The router’s IP address (192.168.1.1) is at my MAC address.” It sends this packet directly to the Roku.

2

Roku updates its ARP cache

Your Roku receives the reply and updates its ARP cache. It now maps the router’s IP to your machine’s MAC address. All traffic the Roku intended for the router is now directed to your machine.

3

Your machine intercepts packets

Your machine receives the Roku’s outbound packets using Scapy’s raw packet capture. It inspects each packet to determine what kind of traffic it is.

4

DNS queries are forwarded to Pi-hole

When the intercepted packet is a DNS query (UDP port 53), the tool rewrites its destination to your Pi-hole server and forwards it. All other traffic is forwarded normally to the actual router.

Only use this tool on networks you own or have explicit permission to test on. ARP spoofing on networks you do not control may violate laws or the network’s terms of service. See the legal disclaimer for details.

Raw packet capture and injection require elevated privileges. Run the tool with sudo on macOS and Linux, or as Administrator on Windows. Without these privileges, Scapy cannot open the network interface.