During an internal penetration test you attach your laptop to an access switch and simply enable promiscuous mode on its NIC, hoping to view other employees' unicast traffic. You quickly notice that only broadcast and your own frames appear in Wireshark. Which statement best explains this behavior and how you could still capture other hosts' traffic without physical re-cabling the switch?
A switch blocks software sniffers entirely; only installing an in-line fiber tap enables passive capture, while ARP spoofing provides no advantage.
Because switches send unicast frames only to the correct port, passive sniffing sees just broadcast and local traffic; launching an ARP-poisoning or MAC-flooding attack can trick the switch into forwarding a victim's frames to the sniffer.
Passive sniffing fails on switches because they encrypt traffic; configuring the NIC for jumbo frames would allow interception of all unicast packets.
Passive sniffing is effective on a switched network as long as the sniffer's interface runs in full-duplex mode; no additional attacks are required.
Passive sniffing relies on putting a network interface into promiscuous mode and silently listening for frames that arrive on the wire. On a legacy hub, every frame is seen by every port, so this is enough to capture all traffic. A modern switch, however, forwards unicast frames only to the specific port on which the destination MAC address resides, so a passive sniffer on another port will see only broadcasts and its own traffic. To force a switch to deliver someone else's packets to the attacker, the tester must turn to an active technique such as ARP spoofing/poisoning or MAC flooding, which manipulates the switch's CAM table and causes mis-forwarding or duplication of traffic to the attacker's port. Enabling full-duplex, relying on VLAN tagging, or activating port security will not by itself provide visibility into other stations' unicast traffic; nor is a hardware tap necessary if software-based Layer 2 attacks succeed.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is ARP spoofing/poisoning?
Open an interactive chat with Bash
What is MAC flooding and how does it affect a switch?
Open an interactive chat with Bash
What does enabling promiscuous mode do in network sniffing?
Open an interactive chat with Bash
What is promiscuous mode on a NIC?
Open an interactive chat with Bash
How does ARP poisoning trick a switch?
Open an interactive chat with Bash
What is MAC flooding and how does it compromise a switch?
Open an interactive chat with Bash
Certified Ethical Hacker (CEH)
Network and Perimeter Hacking
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .