Skillset can help you prepare! Sign up for your free Skillset account and take the first steps towards your certification.
ARP poisoning and MAC flooding are both forms of which type of sniffing ?
None of the above, ARP Poisoning and MAC Flooding are not required in order to sniff some networks
active sniffing
enumeration sniffing
passive sniffing
ARP Poisoning and MAC flooding are critical elements of the active sniffing process in a switched network. Specifically, sniffing is the term used to describe the process of reading all packets on a network segment. This is relatively easy on a hub network connected because a hub is a broadcast medium and the pentester would only have to place his or her NIC in promiscuous mode to 'sniff' or read all traffic on that network segment. This is not possible in a switched network, because a switch builds a table of MAC addresses and their associated ports when the switch is powered on. When a host transmits an ethernet frame the switch examines the destination MAC address and routes the frame to the associated port as given in the switch table. Therefore it is not possible to sniff any traffic on a switched network that is functioning normally.
To sniff traffic in a switched environment the pentester must use a method to alter the routing tables such as ARP Poisoning. The pentester sends floods of spoofed ARP Replies to the switch. The switch will process these replies, updating its routing table and altering the real MAC table data. When the flood is conducted at a rapid rate the switches table will overflow and the switch will default to broadcast all traffic to all ports like Hub. Active methods such as ARP Poisoning essentially force a switch to behave like a hub.
Passive sniffing is an incorrect answer because in order to ARP Poison or MAC Flood, the pentester must interact with the target device or conduit (hence the active instead of passive). Enumeration sniffing doesn't exist. And finally, "None of the above, ARP poisoning and MAC flooding are not required to sniff any network;" because those methods are essential to sniffing a switched network.
Comment: "routes" and "routing" are used in the above explanation. They are incorrect, as switches are layer 2 devices, don't route (L3 function) traffic, which are routers' job. It should say forwarding frames, and use CAM tables, not routing table.
EDIT: ARP poisoning and MAC flooding are NOT sniffing. They might be used prior to sniffing, but they're NOT sniffing itself.
Train with Skillset and pass your certification exam. Faster. Guaranteed.
Study thousands of practice questions that organized by skills and ranked by difficulty.
Create a tailored training plan based on the knowledge you already possess.
Know when you’re ready for the high-stakes exam. Have the confidence that you will pass on your first attempt.