Something like triggering a memory-read of a specific address the moment you see a TLS diffie helman exchange on the wire?
The idea being that you can recover the session key, and thus break the encryption retroactively.
That requires more than just access to the network, but it is rather simple.
With just access to the network, perhaps one could do spoofed DNS responses that are never seen on the network? A very simple '1% of the time, set the gmail.com A record to the chinese gmail IP' might be enough.
One could create mayhem by sending false ARP or DHCP responses, but that is only mayhem. Perhaps if it is externally triggerable it is useful offensively as DoS.
That requires more than just access to the network, but it is rather simple.
With just access to the network, perhaps one could do spoofed DNS responses that are never seen on the network? A very simple '1% of the time, set the gmail.com A record to the chinese gmail IP' might be enough.
One could create mayhem by sending false ARP or DHCP responses, but that is only mayhem. Perhaps if it is externally triggerable it is useful offensively as DoS.