224 Chapter 9 ■ Sniffers
The CEH exam will expect you to know how to identify packet details such
as hexadecimal IP addresses, at least on paper. Remember, in a test envi-
ronment if you can determine the first octet and eliminate one or more of
the possible answers, do it! If you are rusty on breaking down IP addresses
into hex, refer to Chapter 2 and practice until you feel comfortable with the
process.Switched Network Sniffing
Switched networks present an inherent initial challenge to sniffing a network in its entirety.
A wired switch doesn’t allow you to sniff the whole network. As you saw in Chapter 2, each
switchport is a collision domain, so traffic within the switch doesn’t travel between ports.
Okay, enough switch talk. Your goal is to be able to sniff the network portions you want
to at will. To achieve this you can use the various techniques that we’ll explore in this section.MAC Flooding
One of the most common methods for enabling sniffing on a switch is to turn it into a
device that does allow sniffing. Because a switch keeps traffic separate to each switchport
(collision domain), you want to convert it into a hub-like environment. A switch keeps track
of MAC addresses received by writing them to a content addressable memory (CAM) table.
If a switch is flooded with MAC addresses, it may easily overwhelm the switch’s ability to
write to its own CAM table. This in turn makes the switch fall into a giant hub. There are
a few utilities available to accomplish this technique. One common Linux utility is Macof.
Check out Figure 9.2 to see Macof in action.FIGURE 9.2 Macof MAC flood