A switch (particulary a low end, cheaper model) keeps a table of mac addresses connected to each port and it's memory size is limited, thus once you flood the switch with wrong mac addresses it broadcasts to all ports to find the next mac. Continous flooding will make the switch broadcast traffic to every port. Small Example (very small for illustrative point) MAC Table with only room for 4 entries MAC 1 - port 1 MAC 2 - port 2 MAC 3 - port 3 MAC 4 - port 4 If the MAC table is full the next unknown mac to come across drops the list down and the last one falls off. If this last one (MAC 4) sends traffic again it will be sent to all ports. (Subsequently once MAC 4 responds MAC 3 drops off the list) Thus the new table NEWMAC - port 1 MAC 1 - port 1 MAC 2 - port 2 MAC 3 - port 3 For a better explanation, see dsniff collection of tools, particularly macof utility. This collection of sniffing tools from Dug Song is a tutorial in packet sniffing in itself and from his homepage there are links explaining each. http://www.monkey.org/~dugsong/dsniff/ Thanks, ___ _|im Nanney On Tue, 21 Aug 2001, Mauro Flores wrote: > Robert Freeman wrote: > > > I don't think you can get exactly what you want Paul. About the switched > > networks in general, you could: > > > > 1) Spoof an existing MAC (not reliable) > > 2) Flood your switch with MAC announcements (may become a nice hub!) > > 3) Sniff the initial ARP broadcast and reply (hassle for all packets) > > > > regards, > > Robert > > > > btw, a MiM DoS? ...geez. > > > Hi!! > Can enyone explain me (or point me an URL) why if i flood the switch MAC > table it would became a hub?? > The only case i can undestand that the switch became a hub is if i can > fill the switch Mac table with faked Macs... otherwise the switch will > still work as a switch... > am i wrong on this?? > Thanks! > > see arround, Mauro Flores > > >
This archive was generated by hypermail 2b30 : Tue Aug 21 2001 - 22:01:25 PDT