Welcome to HBH! If you had an account on hellboundhacker.org you will need to reset your password using the Lost Password system before you will be able to login.

sniffing switched networks: MAC flooding

  1. Home
  2. Articles
  3. Tutorials and How To's
  4. sniffing switched networks: MAC flooding

sniffing switched networks: MAC flooding

By ghostghost | 5742 Reads |
0     0

sniffing switched networks: MAC flooding

on a non-switched network (aka hub connected) the packets for one machine are received by all other computers, so running a sniffer on a box will capture all traffic on the network. on a switched network the packets are send to their destination only. the switch has a table with every machine's MAC address and delivers packets for a computer to the port where that box is plugged. this improves network performance and also makes traditional sniffing useless. there are several methods to capture packets on a switch: arp spoofing, mac flooding, mac duplicating. MAC flooding is bombarding the switch with fake MAC addresses until the switch's memory for translation table is filled and switch enters "fail open mode" aka starts working as a hub and broadcasting packets to all machines on the network. at this moment any network sniffer will capture traffic. MAC flooding can be accomplished by dsniff or thc-parasite. Switches with management can be protected against this attack by enabling port security.

Comments
ghost's avatar
ghost 18 years ago

Arp poisoning rulez phj34r, lol.

ghost's avatar
ghost 18 years ago

Hmmm, a little short should this really be an article?

n3w7yp3's avatar
n3w7yp3 18 years ago

Of course, ARP poisioning is also loud and any admin with half a brain will know whats going on…

There's better ways to sniff on a switched network. 0wn the switch and span tcpdump across the ports. ;)