Eccouncil 312-50 Exam - Topic 11 Question 103 Discussion

Actual exam question for Eccouncil's 312-50 exam

Question #: 103
Topic #: 11

[All 312-50 Questions]

In a large organization, a network security analyst discovered a series of packet captures that seem unusual.

The network operates on a switched Ethernet environment. The security team suspects that an attacker might

be using a sniffer tool. Which technique could the attacker be using to successfully carry out this attack,

considering the switched nature of the network?

AThe attacker might be compromising physical security to plug into the network directly

BThe attacker might be implementing MAC flooding to overwhelm the switch's memory

CThe attacker is probably using a Trojan horse with in-built sniffing capability

DThe attacker might be using passive sniffing, as it provides significant stealth advantages
Explanation:
A sniffer tool is a software or hardware device that can capture and analyze network traffic. In a switched Ethernet environment, where each port on a switch is connected to a single device, a sniffer tool can only see the traffic that is destined for or originated from the device it is attached to. However, an attacker can use various techniques to overcome this limitation and sniff the traffic of other devices on the same network. One of these techniques is MAC flooding, which exploits the finite memory of the switch's MAC address table. The attacker sends a large number of frames with different source MAC addresses to the switch, which fills up the MAC address table and causes the switch to enter a fail-open mode, where it broadcasts all incoming frames to all ports, regardless of the destination MAC address. This way, the attacker can see all the traffic on the network and capture it with a sniffer tool.
The other options are less likely or less effective techniques for sniffing a switched Ethernet network. Compromising physical security to plug into the network directly may allow the attacker to sniff the traffic of the device they are connected to, but not the traffic of other devices on the network. Using a Trojan horse with in-built sniffing capability may allow the attacker to sniff the traffic of the infected device, but not the traffic of other devices on the network, unless the Trojan horse also performs MAC flooding or other techniques to bypass the switch. Using passive sniffing, which involves listening to the network traffic without sending any packets, may provide significant stealth advantages, but it does not help the attacker to see the traffic of other devices on the network, unless the switch is already in fail-open mode or the attacker uses other techniques to induce it.

Reference:
Sniffing: A Beginners Guide In 4 Important Points
How can I run a packet sniffer on a Router or Switch
Detection of Sniffers in an Ethernet Network

Show Suggested Answer

Suggested Answer: B

by Albert at Mar 03, 2025, 11:34 PM

Limited Time Offer

25%

6 months ago

This seems like a tricky one. I'll need to think carefully about the switched network environment and how an attacker could bypass the security measures.

upvoted 0 times

...