# Sniffing in Action ### 4.2. Sniffing in Action Types of Sniffing: 1. Passive Sniffing 2. Active Sniffing * MAC Flooding * ARP Poisoning **4.2.1. Passive Sniffing** Passive sniffing attacks are performed by just *watching* packets on a network in order to gather sensitive information such as *userids*, *passwords*, and other sensitive information. They are difficult to be detected due to their "hands off" approach to gathering information. The only tool you need is a sniffer, such as Wireshark. **4.2.2. Active Sniffing** Active sniffing is performed by actively (malicious) operations (MAC flooding or ARP poisoning) on the network. This means that we will inject packets on the network in order to redirect the traffic. Types of Active Sniffing: 1. MAC Flooding MAC flooding is meant to stress the switch and fill its CAM table. A CAM table keeps all the info required to forward frames to the correct port: ``. When the space in the CAM is filled with fake MAC addresses, the switch cannot learn new MAC addresses. The only way to keep the network alive is to forward the frames meant to be delivered to the unknown MAC address on all the ports of the switch, thus making it fail open, or act like a Hub. 1. ARP Poisoning ARP poisoning (a.k.a. ARP spoofing) is probably the most stealthy among the Active sniffing techniques. It does not need to bring down switch functionalities, instead it exploits the concept of traffic redirection. This is one of the most used attacks to perform Man in the Middle Attacks. By exploiting the network via ARP poisoning, the attacker is able to redirect the traffic of the selected victims to a specific machine (usually the attackers machine). Doing this will enable the attacker to not only monitor, but also modify the traffic. Notice that although ARP poisoning is mainly used to mount a MitM attack, it can also be used to DoS the network. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://zer0verflow.gitbook.io/ecpptv2-notes/2-network-security/sniffing-and-mitm-attacks/sniffing-in-action.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.