sniffing switched networks: MAC flooding
sniffing switched networks: MAC flooding
ghost | 5868 Reads | sniffing switched networks: MAC flooding
on a non-switched network (aka hub connected) the packets for one machine are received by all other computers, so running a sniffer on a box will capture all traffic on the network. on a switched network the packets are send to their destination only. the switch has a table with every machine's MAC address and delivers packets for a computer to the port where that box is plugged. this improves network performance and also makes traditional sniffing useless. there are several methods to capture packets on a switch: arp spoofing, mac flooding, mac duplicating. MAC flooding is bombarding the switch with fake MAC addresses until the switch's memory for translation table is filled and switch enters "fail open mode" aka starts working as a hub and broadcasting packets to all machines on the network. at this moment any network sniffer will capture traffic. MAC flooding can be accomplished by dsniff or thc-parasite. Switches with management can be protected against this attack by enabling port security.
n3w7yp3 19 years ago
Of course, ARP poisioning is also loud and any admin with half a brain will know whats going on…
There's better ways to sniff on a switched network. 0wn the switch and span tcpdump across the ports. ;)