The safest way to obtain traﬃc from a switch is to coordinate with a network administrator to conﬁgure “port mirroring,” in which traﬃc from ports of interest is mirrored to a port that is used by the investigator.
Switches can also be attacked in several ways to try to facilitate sniﬃng. The most common are:
- MAC ﬂooding (which attacks the switch’s CAM table directly)
- ARP spooﬁng (which attacks the ARP tables of the hosts on the LAN)
It would be hard to argue that either of these methods is really “passive,” since they require an attacker to send extensive and continuing traﬃc on the network. However, these are methods for facilitating traﬃc capture on switched networks when port mirroring or tapping a cable is not an option.
Published on Mon 28 April 2014 by Randy Nugent in Security with tag(s): sniffer switches