2

For testing purposes, I want to apply promiscuous mode in Wireshark to capture traffic not sent to me.

For this, I believe there is the need to poison the ARP table in the switch so that the attacker (me) gets all the requests.

Assume the switch used was a cheap commercial switch and the poisouning indeed took place and was not detected and the table was messed up.

Does this have any further consequences? Will the entire network (around 15 wired devices) have a lag to the internet or so? Can I put the table back to its place ?

I will carry the attack using Cain and Abel for Windows.

I repeat again, this will be done on my own network for testing purposes.

Update: As hinted by immibis, the switches do not have an ARP table but rather a Forwarding table. There is apparently a naming misconception going on, where ARP in its literally sense, happens inside the computer or the machine creating the frame, because it needs the MAC address of the target machine it needs to send the frame to.

tony9099
  • 779
  • 1
  • 5
  • 10
  • 1
    Any time I've ever played with Cain and Abel there has been a noticeable lag with the victim's computer accessing the internet. The ARP table was returned to normal once you hit "Stop poisoning" in CAA. – DKNUCKLES Mar 22 '17 at 15:22
  • If your goal is to "capture traffic not sent to me" and you have control over network, then port mirroring/SPAN/traffic duplication is the right way to do this and not ARP poisoning. – Kirill Sinitski Mar 22 '17 at 18:56
  • 1
    Switches don't have ARP tables. – user253751 Mar 22 '17 at 21:10
  • @immibis I updated the question after your hint. Thanks a lot. It would've been nicer if you elaborated though. – tony9099 Mar 23 '17 at 14:23

1 Answers1

1

First, in order to get all the request you'll need to poision the clients too - if you'll poision only the switch, you'll get only the answer to the requests. Because the client will transfer the request to the switch and the switch will transfer further.

Second, a lag will occur as you add another node in the transport link (actually it's more than 1).

Third, afaik there wouldn't be any other consequences besides lagging.

Fourth, the table will get back after you stop poisioning - the client will try to request, see that there is no response and will start ARPing.

Bluestar
  • 119
  • 5