ARP Spoofing - how to more effectively poison the ARP cache?

[michael_kent123]

Let's imagine a hypothetical scenario.

Bob is sitting in a cafe arpspoofing and sslstripping. He has checked his configuration and logs and everything works properly. The cafe is using a standard home router (192.x.x.x) to provide its customers with internet access.

In his logfile he sees various POST and SECURE POST entries which sometimes have username / password combinations.

However, he is perplexed. This is because he knows that there are plenty of people around him logging into webmail (and thus generating POST or SECURE POST requests) yet his logfile does not show these enteries.

This is, presumably, because at the exact moment that the target entered the POST request, the target's ARP cache was showing the real router's IP address rather than the attacker's IP address pretending to be the router.

Two questions:

First, is it possible to be too near to another computer and hence somehow their ARP cache will not be updated with the attacker's IP? Or does the success or failure of arpspoofing in no way depend on th attacker's distance from the target?

Second, is there a way to speed up the ARP poisoning? If success or failure is dependent on whether or not the attacker's IP is in the target's ARP cache, then I would have thought (perhaps incorrectly) that sending more frequent ARP packets would be the solution. I know, from Wireshark logs, that arpspoof sends out ARP requests every 2 seconds. Why can't it (or any other similar tool) send out packets every 0.5 seconds (for example)?

Opinions? Thanks.