

Adventures with Sniffing the Network - iodigitalsec
http://www.iodigitalsec.com/sniffing-the-network/

======
jlgaddis
While this article is for the most part, technically sound, there are some
minor inaccuracies centered around layer two.

Normally, I wouldn't bother nitpicking like this. I'm going to this time,
however, because from a security standpoint, many knowledgeable people who
otherwise have a good grasp of networking (at least, from layer 3 on up) seem
to ignore, neglect, forget about, or simply lack understanding of layer two.

To illustrate:

 _Switches rely on ARP packets which are easily forged in order to learn which
devices are on which ports._

A standard (non-routing) Ethernet switch without a configured IP address will
actually have an empty ARP table. An Ethernet switch with dynamic learning
enabled inspects the source address field of incoming frames -- another
nitpick: at layer two they're "frames", not packets -- and uses its contents
to build the table.

Note that the source MAC address in the Ethernet frame is not the same (field)
as the sender hardware address within an ARP packet. While the two would
ordinarily have the same value, it's possible for them to differ.

(Armed with this information, it's possible to do a "targeted" version of the
attack described in this article, as opposed to an all-encompassing attack
affecting every host on the same broadcast domain.)

Anyways, as I mentioned earlier, lots of people (especially here on HN) are
well aware of attacks at layer 3 and up but layer 2 is often neglected and,
while firewalls and proxies may be in place for protection, the network can
still be vulnerable to ARP spoofing (as described in this article), VLAN
hopping, DHCP starvation, STP & DTP attacks, CAM overflow, etc.

If you operate a network, don't forget about layer two! Hopefully you are
using managed network switches, in which case, DHCP snooping (also mentioned
in the article), dynamic ARP inspection, port security, and many others are
your friends.

