• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 589
  • Last Modified:


Is Dsniff really good at sniffing switched networks without having to use a port on a switch? I am trying to harden the internal network security and I was reading about dsniff and it's ability to redirect traffic as if it were the gateway. I want to try and reproduce this result to see how easy some rogue user could do it, then take countermeasures to prevent this kind of attack.
thanks in advance
3 Solutions
Yes, dsniff can do this through an ARP Cache Spoofing Attack.

This works by flooding the switch with sppofed ARP replies, which overflows the switch's list of what MACs are associated with which port, forcing it to act like a hub instead of a switch, at least within a single VLAN.

Countermeasures include:
1. Encrypt all traffic so confidentiality attacks just don't work
2. Assign each user their own private VLAN. Yes, this is possible and some extremely security-sensitive (mostly government) organizations have actually done this.
3. Implement real-time detection and response (port shut-down) for such attacks
Some switches are smarter than others, and are aware of APR cache overloading. You may set max MAC addresses per port on them.

Chris_calabrese I could be mistaken, but I think you have described ARP / MAC flooding, which will do exactly what you suggest.  I could be wrong, but I think that in order to perform a man in the middle attack tools like dsniff and 'Cain and Abel' use ARP poisoning.  They take advantage of the fact that many devices update their ARP tables each time they receive an ARP 'reply'.  Thus you just need to keep sending false ARP replies to the router / switch so the desired traffic goes via your sniffing box without the need to flood the switch and degrade overall performance.

Agree completely with your countermeasures though.

Additional countermeasures vcon13 could consider (depending on the size of your network):

Implement port security on your switches - for example by maintaining a MAC address database linking a MAC to a port.  This has the added benefit of preventing any non approved devices from being attached to the network in addition to preventing a machine spoofing another MAC address.

On a small network you could implement static IP addressing and static ARP entries - although this is hard to maintain.

Monitoring for possible arp spoofing attacks can also be a useful defense look at a tool such as ARPwatch (http://www.securityfocus.com/tools/142) - this will however require some tuning to prevent false positives especially if your environment uses DHCP - ARPwatch maintains a list of IPs and their associated MAC address.

Some Network intrusion detection / prevention devices may also be able to monitor for potential ARP spoofing attacks.


Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now