4.3 Sniffing Concepts and Layer 2 Attacks

Passive vs Active Sniffing

Sniffing is capturing and inspecting network traffic. CEH frames it as both an authorized analysis skill (troubleshooting, IDS, security monitoring) and an attack technique. The first distinction is passive vs active.

Passive sniffing captures only the traffic that already reaches the attacker's NIC. To see frames not addressed to it, the NIC must run in promiscuous mode, which tells the card to pass every frame up to the OS regardless of destination MAC. Passive sniffing works on legacy hubs (which repeat every frame to every port), on broadcast/multicast traffic, and on a SPAN/mirror port where a switch is configured to copy traffic to a monitoring port. It generates no extra traffic and is hard to detect.

Active sniffing is required on a switched network, because a switch forwards a unicast frame only to the port of the destination MAC (it learns MAC-to-port mappings in its CAM/MAC address table). The attacker therefore cannot passively see other hosts' traffic — so active sniffing manipulates the switch or protocols to redirect or flood traffic to the attacker. The key insight CEH tests: on a switch, you attack the device's logic and trust assumptions (ARP, DHCP, DNS, CAM table), not the physical wire.

The standard capture tools are Wireshark (GUI analysis with powerful display filters like http, ip.addr==10.0.0.5, tcp.port==443), tcpdump/tshark (CLI capture and automation), and Cain & Abel/Ettercap/Bettercap for active MITM.

Layer 2 Attacks: MAC Flooding and ARP Poisoning

MAC flooding abuses the finite size of the switch CAM table. The attacker sends a torrent of frames with random, spoofed source MAC addresses (tools like macof), filling the CAM table. When the table is full, many switches fail open — they stop learning and flood all unicast frames out every port like a hub. This restores passive visibility for the attacker and is essentially a DoS against the switch's filtering.

ARP poisoning (ARP spoofing) is the most-tested Layer 2 attack. The Address Resolution Protocol maps an IP to a MAC on the local segment, and it is stateless and unauthenticated — a host accepts an ARP reply even if it never sent a request (a gratuitous ARP). The attacker sends forged ARP replies telling the victim "the gateway's IP is at my MAC" and tells the gateway "the victim's IP is at my MAC." Both poison their ARP caches and send traffic through the attacker, who becomes a man-in-the-middle (MITM). From there the attacker can read cleartext, perform SSL stripping, or selectively modify traffic.

DHCP and DNS Attacks; Span-Port Capture

DHCP starvation floods the DHCP server with requests using spoofed source MAC addresses (tool: dhcpstarv/Yersinia), exhausting the pool of leasable IP addresses so legitimate clients can't get an address — a denial of service. It is often paired with a rogue DHCP server the attacker stands up: starve the real server, then hand victims a lease pointing at the attacker's IP as the default gateway and DNS server, achieving MITM by configuration.

DNS poisoning corrupts name resolution so a hostname resolves to an attacker IP. Variants include local hosts-file/cache poisoning, rogue-DHCP DNS (above), and DNS cache poisoning against a resolver. The victim types the right URL but lands on the attacker's server.

All of these share a root cause CEH wants you to recognize: unauthenticated control-plane protocols (ARP, DHCP, DNS) trust whatever they receive.

For authorized capture on a switch, defenders use a SPAN port (Switched Port Analyzer / port mirroring): the switch copies traffic from one or more ports/VLANs to a designated monitor port where Wireshark or an IDS listens. Because switches isolate traffic, SPAN — not promiscuous mode — is the reliable, legitimate way to see full traffic on modern wired networks. A network TAP is the hardware equivalent and is preferred for forensics because it cannot drop frames under load.

Remember the layered targets: hub = passive sniffing trivially; switch = needs active sniffing (CAM/ARP/DHCP/DNS abuse); monitored switch = use SPAN/TAP for legitimate analysis.

Protocols at Risk and Wireshark in Practice

Sniffing matters because many legacy protocols carry credentials and data in cleartext. CEH wants you to know which protocols leak and what replaces them:

When an attacker MITMs or captures a segment, these protocols hand over usable credentials directly — which is why sniffing pairs naturally with the credential-attack material elsewhere in CEH.

Wireshark is the tool you must understand operationally. syn==1, dns). Useful workflows CEH references: **Follow TCP/HTTP Stream** to reconstruct a conversation, **Statistics > Conversations/Endpoints** to spot top talkers, and **Export Objects** to pull files out of a capture. To capture beyond your own traffic you need **promiscuous mode** on a shared segment, or a **SPAN/mirror port** or **TAP** on a switch. pcap, and tshark automates analysis. Recognizing a filter, identifying a leaked credential in a stream, or naming the capture mechanism are all realistic exam tasks — and all are framed as authorized security analysis.