the hub, letting the endpoints figure out who the frame belonged to, based on the
MAC address. There was no intelligence in the hub at all. It was simply a repeater.
A switch changes all that. The switch reads the layer 2 header to determine the desti‐
nation MAC address. It knows the port where the system that owns that MAC
address is. It determines this by watching traffic coming into each port. The source
MAC address gets attached to the port. The switch will commonly store these map‐
pings in content addressable memory (CAM). Rather than having to scan through an
entire table, the switch looks up the details by referring directly to the MAC address.
This is the content that becomes the address the switch refers to in order to get the
port information.
Why is this relevant here? Because you will sometimes want to collect information
from a system that you don’t have access to. If you owned the network and had access
to the switch, you may be able to configure the switch to forward traffic from one or
more ports to another port. This would be a mirror, rather than a redirection. The
recipient gets the traffic, but also a monitoring device or someone capturing traffic
for analysis would get the packets.
To obtain the messages you need if you can’t get legitimate access to them, you can
use a spoofing attack. In a
spoofing attack
, you pretend to be someone you are not in
order to get traffic. There are a couple of ways to do that, and we’ll take a look at these
different attacks.