Maker tech hub — AI · 3D print · Pi · ESP32 · plus the classic tech archive.

Free ESP32 kit · Books · Network Ninja · Archive

Classic tech archive. From the original averyjparker.com tech blog — historical context; pair with modern guides where noted. Full archive · Maker projects · Network Ninja

Classic tip · Security

Network Security - Hub or Switch?

So, for those that have a little bit of knowledge about network hardware, you've probably heard this. "You can't sniff switched networks".... wrong.... let's see what this is about. Older networking …

Written by

Avery J. Parker

IT veteran, maker educator, and author of Network Ninja, 3D Printing Mastery, and AI Workflow Mastery. Business IT: Diversified Tech Solutions.

So, for those that have a little bit of knowledge about network hardware, you've probably heard this. "You can't sniff switched networks".... wrong.... let's see what this is about. Older networking hardware was dominated by what's called a hub. This was basically a "dumb" device that when it received data, it would retransmit the data to every machine connected with the expectation that the correct recipient would answer and all others would ignore that data. Of course, this stream of data is possible to watch and easily available software could log all network traffic fairly easily.


So, anything that is unencrypted could be captured and analyzed by any machine hooked up to a hub. But switches were supposedly smarter and some still think that a switch prevents network sniffing. A switch is supposed to know which machines are connected to which ports. So, data destined for machine A ONLY goes to machine A. This knowledge of what machine is where relies upon MAC addressing. So, this is susceptible to a number of attacks.

First, using easily available software, an attacking machine could flood the switch with bogus (false) MAC addresses, at which point the switch will likely give up and fallover to "hub" mode. Also, it's possible to change the mac address of a network interface. This is another fairly easily available attack. The idea is that you duplicate the MAC address of the "target machine" and then both machines receive the same data from the switch.

There's yet another approach though that has more interesting possibilities in the area of risk though. That is something called ARP spoofing (or arp poisoning.)

So, in short, switched networks can easily be sniffed.