Posted on 2006-05-09
Last Modified: 2012-06-21
Is Dsniff really good at sniffing switched networks without having to use a port on a switch? I am trying to harden the internal network security and I was reading about dsniff and it's ability to redirect traffic as if it were the gateway. I want to try and reproduce this result to see how easy some rogue user could do it, then take countermeasures to prevent this kind of attack.
thanks in advance
Question by:vcon13
    LVL 14

    Assisted Solution

    Yes, dsniff can do this through an ARP Cache Spoofing Attack.

    This works by flooding the switch with sppofed ARP replies, which overflows the switch's list of what MACs are associated with which port, forcing it to act like a hub instead of a switch, at least within a single VLAN.

    Countermeasures include:
    1. Encrypt all traffic so confidentiality attacks just don't work
    2. Assign each user their own private VLAN. Yes, this is possible and some extremely security-sensitive (mostly government) organizations have actually done this.
    3. Implement real-time detection and response (port shut-down) for such attacks
    LVL 43

    Assisted Solution

    Some switches are smarter than others, and are aware of APR cache overloading. You may set max MAC addresses per port on them.
    LVL 5

    Accepted Solution


    Chris_calabrese I could be mistaken, but I think you have described ARP / MAC flooding, which will do exactly what you suggest.  I could be wrong, but I think that in order to perform a man in the middle attack tools like dsniff and 'Cain and Abel' use ARP poisoning.  They take advantage of the fact that many devices update their ARP tables each time they receive an ARP 'reply'.  Thus you just need to keep sending false ARP replies to the router / switch so the desired traffic goes via your sniffing box without the need to flood the switch and degrade overall performance.

    Agree completely with your countermeasures though.

    Additional countermeasures vcon13 could consider (depending on the size of your network):

    Implement port security on your switches - for example by maintaining a MAC address database linking a MAC to a port.  This has the added benefit of preventing any non approved devices from being attached to the network in addition to preventing a machine spoofing another MAC address.

    On a small network you could implement static IP addressing and static ARP entries - although this is hard to maintain.

    Monitoring for possible arp spoofing attacks can also be a useful defense look at a tool such as ARPwatch ( - this will however require some tuning to prevent false positives especially if your environment uses DHCP - ARPwatch maintains a list of IPs and their associated MAC address.

    Some Network intrusion detection / prevention devices may also be able to monitor for potential ARP spoofing attacks.



    Featured Post

    Free Trending Threat Insights Every Day

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    Suggested Solutions

    Title # Comments Views Activity
    How to open port 9000 for remote PHP Xdebug to local PHPStorm 12 644
    SYSCTL 5 58
    Fail2Ban restart 5 61
    CentOS 6.7 User Audit 3 80
    ​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
    Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now