Saturday, February 7, 2009

Flood the MAC address table of a Switch

Lab Section: Switch

Lab Title: Flood the MAC address table of a Switch


In this lab exercise, we will complete the following tasks:

1. Use Ettercap to overflow the MAC address table of a Cisco switch 2950.

2. Use Wireshark to sniff the FTP password.


Switches maintain a table of MAC addresses and associated switch port. When a switch receives a frame, the destination MAC address is checked against the table, and the corresponding port is used to route the frame out of the switch. If a switch does not know which port to route the frame, or the frame is a broadcast, then the frame is routed out all ports except the port where it originated.


Your computer is connected to an uncontrolled switch. You want to sniff the traffic of the other computers that are connected with this switch. Because switch has a MAC address table to match the destination, you have to flood this table to force the switch broadcast every frame and work like a Hub.


This figure illustrates the lab network environment:


Tools and Resources

In order to complete the lab, the following is required:

1. Ettercap0.7.3:

2. WireShark 1.05:

3. Putty or HyperTerminal

Additional Materials

Visit the following website for more information on the objectives covered in this lab:




1. Preparation: To start the FTP server and Telnet Server in Windows 2003 server and check the connection between these PCs.

1.1 In Server, open a command line window.

1.2 Enter “ipconfig /all” to show the current network setting, make sure the IP address is correct.

1.3 Enter “ping”, check the connection of other computer.

1.4 Enter “ping”, check the connection of other computer. Make sure they are all connected.

1.5 Open “Control Panel”-> “Administrative tools”-> “Services”, find out the Telnet service and start it.

1.6 Back to the “Administrative Tools”, open “Computer Management”, click “Local Users and Groups”.

1.7 Enter the “User” window, add 2 new users, one is “telnetuser”, another is “ftpuser”, you need to setup password, and uncheck the “user must change password at next logon” option (just for convenience, you’d better not uncheck this option in the reality environment).

1.8 Setup user “telnetuser” as one of the members of “TelnetClients” Group.

1.9 Return to “Administrative Tools” window. Run “Internet Information Services(IIS) Manager” to setup FTP server.

1.10 Right click “Default FTP Site”, choose “Properties”, uncheck “Allow anonymous connections”, apply for the change.

1.11 In Sniffer PC, open a command line window.

1.12 Enter “ipconfig /all” to show the current network setting, make sure the IP address is correct.

1.13 Run Wireshark, click Menu “Capture”-> “Interface”. Click “option” to open the capture options windows.

1.14 Setup the Capture Filter, we use “IP only” here. Click “Start”.

1.15 Wireshark start to capture packets, as you can see. Only the broadcast and the local packets can be received.

1.16 In User PC, open a command line window.

1.17 Enter “ipconfig /all” to show the current network setting, make sure the IP address is correct.

1.18 Ping, Wireshark will capture the ICMP traffic because Wireshark is running in

1.19 Telnet, Wireshark won’t get any packets because the switch forwarded the packets to directly.

1.20 Connect the switch to the User PC with console cable.

1.21 Run Putty and open the terminal window.


Swithch>Show mac-address-table dynamic

Ok, the test environment is settled.

Click here to watch the video1: Preparation (

2. Flood MAC-address table.

2.1 In Sniffer PC: let’s use another capture filter in Wireshark, because we only care the traffic of the server

2.2 In Wireshark, click menu “capture”->”Interface”, click “options”, then click “capture filter”, and choose “IP address”, you may change the IP address. Click “ok” and “Start”.

2.3 Run ettercap. Click menu “Sniff”-> “Unified sniffing”, select the network interface, click “OK”.

2.4 Click menu “Plugins”-> “Manager the Plugins”, select “rand_flood”. Click menu “Start”-> “Start sniffing”.

2.5 In User PC: Inside the Putty window, enter “Show mac-address-table dynamic”, we’ll be able to see a lot of fate mac address.

2.6 Open a command line window, enter “telnet”, enter username and password, connect to the telnet server.

2.7 In Sniffer PC ( we’ll be able to see the telnet traffic between and, because the mac-address table is full, the switch has to broadcast the packets.

2.8 In User PC: Open IE Browser, enter Ftp://, enter username and password. Connect to the FTP server.

2.9 In Sniffer PC ( we’ll be able to see the FTP traffic between and

2.10 Ettercap also can sniff the telnet and ftp password, but if you want to capture and analyst other traffics, Wireshark is the better choise.

Click here to watch the video2: overflow (

No comments:

Post a Comment