Sniffing in switched networks is typically conducted using one of two methods: MAC flooding or ARP spoofing. However, unlike sniffing in traditional, hub-based networks, both these methods are active and so can be detected – though sometimes this is not easy.

Sniffing in switched networks is typically conducted using one of two methods: MAC flooding or ARP spoofing. However, unlike sniffing in traditional, hub-based networks, both these methods are active and so can be detected - though sometimes this is not easy.

 

Unlike a hub, a switch sends frames only between specific ports - the ones the sender and recipient are connected to. Each decision to send incoming data to a certain port is made using a table stored in the memory of the switch, containing mappings of MAC hardware addresses to port numbers. Throughout its operation, a switch continues to learn the hardware addresses of the devices it serves by monitoring addresses in incoming frames.

Putting network traffic through a switch prevents the sniffing of open traffic, since frames are only sent to their rightful recipients, and not to other users. Two other methods are used instead: MAC flooding and ARP spoofing. Any network administrator is sooner or later bound to run across a script kiddie who repeatedly attempts to sniff traffic using one of these methods (see Inset MAC flooding and ARP spoofing). Fortunately, such active sniffing can be detected. Let's see how this can be done, starting with the easier of the two - MAC flooding.

Look out - flood's coming!

A MAC flooding attack involves flooding the network with frames containing spoofed source addresses, typically sent either to the broadcast address or to a non-existent hardware address. The frames will reach our network adapter regardless of whether the attack was successful or not (frames sent to another system will reach us only if the switch has indeed been flooded). In other words, whenever we receive frames coming from an unknown hardware address, we're probably dealing with a flooding attempt. The only way to make sure is to check the actual MAC addresses of all the hosts in our network.

It is also possible for frames addressed to hosts unknown to the switch to appear in our network, causing the switch to act as an ordinary hub and send the frame to all its ports. However, in reality this should never happen - before any frame is sent to a specific host, the sender has to query for the recipient's hardware address (for the TCP/IP protocol stack, this is done using a broadcast ARP request) and receive a suitable ARP reply, from which the switch will learn the location of that host. All this means that if our network adapter receives a frame (or many frames) addressed to another host, we can well suspect that our switch has fallen prey to a successful MAC flooding attack.

Detecting MAC flooding requires the analysis of all frames arriving at our network adapter. Under normal circumstances in a switched network, we should only receive broadcast and multicast messages and frames addressed directly to our computer. Any conscientious administrator should always have a list of all their hosts' hardware addresses handy, but human memory being what it is, it would be convenient to have a program which would use ARP to query all local IPs for their MAC addresses and then proceed to monitor all traffic incoming to our network adapter.

sum:

0 €