Follow us on Twitter!
Never in the field of human conflict was so much owed by so many to so few. - Winston Churchill
Wednesday, April 16, 2014
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Members Online
Total Online: 19
Guests Online: 17
Members Online: 2

Registered Members: 82807
Newest Member: Black Hawk
Latest Articles

sniffing switched networks: MAC flooding

Arrow Image how to sniff on a switched network

sniffing switched networks: MAC flooding

on a non-switched network (aka hub connected) the packets for one machine are received by all other computers, so running a sniffer on a box will capture all traffic on the network.
on a switched network the packets are send to their destination only. the switch has a table with every machine's MAC address and delivers packets for a computer to the port where that box is plugged. this improves network performance and also makes traditional sniffing useless.
there are several methods to capture packets on a switch: arp spoofing, mac flooding, mac duplicating.
MAC flooding is bombarding the switch with fake MAC addresses until the switch's memory for translation table is filled and switch enters "fail open mode" aka starts working as a hub and broadcasting packets to all machines on the network. at this moment any network sniffer will capture traffic.
MAC flooding can be accomplished by dsniff or thc-parasite.
Switches with management can be protected against this attack by enabling port security.


Eracleson November 12 2005 - 19:26:25
Arp poisoning rulez phj34r, lol.
wolfmankurdon November 12 2005 - 20:24:28
Hmmm, a little short should this really be an article?
n3w7yp3on November 14 2005 - 22:54:05
Of course, ARP poisioning is also loud and any admin with half a brain will know whats going on... There's better ways to sniff on a switched network. 0wn the switch and span tcpdump across the ports. Wink
Post Comment


You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.