Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

sniffing switched networks: MAC flooding


sniffing switched networks: MAC flooding

By ghostghost | 5904 Reads |
0     0

sniffing switched networks: MAC flooding

on a non-switched network (aka hub connected) the packets for one machine are received by all other computers, so running a sniffer on a box will capture all traffic on the network. on a switched network the packets are send to their destination only. the switch has a table with every machine's MAC address and delivers packets for a computer to the port where that box is plugged. this improves network performance and also makes traditional sniffing useless. there are several methods to capture packets on a switch: arp spoofing, mac flooding, mac duplicating. MAC flooding is bombarding the switch with fake MAC addresses until the switch's memory for translation table is filled and switch enters "fail open mode" aka starts working as a hub and broadcasting packets to all machines on the network. at this moment any network sniffer will capture traffic. MAC flooding can be accomplished by dsniff or thc-parasite. Switches with management can be protected against this attack by enabling port security.

Comments
ghost's avatar
ghost 19 years ago

Arp poisoning rulez phj34r, lol.

ghost's avatar
ghost 19 years ago

Hmmm, a little short should this really be an article?

n3w7yp3's avatar
n3w7yp3 19 years ago

Of course, ARP poisioning is also loud and any admin with half a brain will know whats going on…

There's better ways to sniff on a switched network. 0wn the switch and span tcpdump across the ports. ;)