If the LAN you are sniffing uses static ARP mapping, or retains ARP information for a very long time, normal ARP poisoning will not work because each host ignores any ARP Reply messages you send.

Even though it is not stealthy in the least, my favorite way is to use ettercap’s port mode and basically blast the existing hosts out of the switch’s internal MAC table. It is going to take some explaining to truly appreciate how this works.

When you use ettercap’s port mode, it floods the network with crafted ARP packets. Each packet has the source MAC set to a valid network host and the destination MAC set to your sniffer’s interface. This accomplishes two tasks. First, you fool the switch into creating a connection for every host on the network and your network interface. Secondly, you stand a very good chance of knocking every other entry in the switch’s MAC table out. For a moment, the switch sends packets originally destined for another host to your network port, and from there the packets go to your interface. Under normal circumstances, your interface would recognize that these packets are destined for a different MAC and ignore them, but in this case, ettercap accepts the packets and records the valid destination MAC. Then, ettercap sends an ARP Request packet to the valid MAC and waits for an ARP Reply to come from that machine. When the ARP Reply is received, ettercap knows that the switch has sorted everything out again, and so it repeats the process of flooding the LAN with crafted ARP packets.

Amazingly, this works well enough to capture most, if not all, of the traffic between any two hosts:

  [lou@duodenum] ettercap –Tq –M port:remote

ettercap can also circumvent static ARP tables using crafted ICMP Redirect packets. Basically, ettercap is telling the other hosts on the LAN that it is a better gateway than the default router. Unfortunately, this technique results in a half-duplex sniffing session; you can see traffic that the internal hosts are sending out, but the replies from systems beyond the gateway are not intercepted:

  [lou@duodenum] ettercap –Tq –M icmp:00:0A:5E:02:3B:B3/192.168.2.1

ettercap’s dhcp MITM mode takes a long time because you have to wait for a host to renew their DHCP lease; however, if you are interested in how it works, the ettercap manpage covers it in detail.

dsniff handles the problem of static ARP tables in a different way. The MAC OverFlow (macof) program floods the switch and the rest of the network with bogus MAC addresses with the intention of overloading the switch’s processor and memory limitations and forcing the switch to revert to hub mode. A surprising number of switches actually do this; rather than drop packets when overloaded, the switch willingly turns off the switching features designed to provide speed and drops to a hub mode, spamming every Ethernet frame it sees to every port. If this happens, you will suddenly start receiving frames intended for some other port, and you can begin sniffing as if you were connected to a hub. Once the network quiets down, the switch regains its composure. To prevent this from happening, stick macof into a simple while loop to have it run periodically:

  [lou@duodenum] while [ 1 ] ; do macof
–n 300000 ; sleep 59 ; done

The –n option sets the number of packets to send.

The bridge mode in ettercap requires two interfaces and proper positioning on the network segment. If you set up your machine inline with the network bridge or a router and enable bridged mode, you are very difficult to detect. Also, you are in a good position to play around with the data inside packets traversing your sniffer:

  [lou@duodenum] ettercap -Tq –i eth0 -B eth1

The -i option sets the primary interface (here it’s eth0 ), and the -B option sets the second bridging interface.

Since bridged mode requires two interfaces, casual sniffing on the LAN with a laptop is more difficult. The reason you may be interested in using bridged mode is that it is stealthy. You do not have to spray the LAN with ARP packets, nor do you have to win any DHCP races with some random server. You can sit quietly and intercept packets without putting any of your interfaces into promiscuous mode.

If you like to run ettercap using the curses or GTK+ user interface, you can enable bridged mode when ettercap first starts by selecting the menu item “Sniff -> Bridged sniffing...” as shown in Figure4-3.

Once you have established yourself in bridge mode, sniffing and other functions are mostly the same as using Unified Sniffing mode, aside from some incompatibilities with a few MITM modes. The manpage contains a good explanation of what is going on.

 Dealing with Static ARP Tables

Figure 4-3.  Enabling bridge mode sniffing