nerdexam
EC-Council

312-50V13 · Question #523

In a large organization, a network security analyst discovered a series of packet captures that seem unusual. The network operates on a switched Ethernet environment. The security team suspects that a

The correct answer is B. The attacker might be implementing MAC flooding to overwhelm the switch's memory. Explanation MAC flooding is the most viable technique for sniffing traffic on a switched network, because switches normally forward traffic only to the intended port based on their MAC address table (CAM table). By flooding the switch with thousands of fake MAC addresses, the att

Submitted by daniela_cl· Mar 6, 2026Sniffing

Question

In a large organization, a network security analyst discovered a series of packet captures that seem unusual. The network operates on a switched Ethernet environment. The security team suspects that an attacker might be using a sniffer tool. Which technique could the attacker be using to successfully carry out this attack, considering the switched nature of the network?

Options

  • AThe attacker might be compromising physical security to plug into the network directly
  • BThe attacker might be implementing MAC flooding to overwhelm the switch's memory
  • CThe attacker is probably using a Trojan horse with in-built sniffing capability
  • DThe attacker might be using passive sniffing, as it provides significant stealth advantages

How the community answered

(39 responses)
  • A
    5% (2)
  • B
    79% (31)
  • C
    3% (1)
  • D
    13% (5)

Explanation

Explanation

MAC flooding is the most viable technique for sniffing traffic on a switched network, because switches normally forward traffic only to the intended port based on their MAC address table (CAM table). By flooding the switch with thousands of fake MAC addresses, the attacker can exhaust the CAM table's memory, causing the switch to fail open and broadcast all traffic to every port - effectively turning it into a hub, which the attacker's sniffer can then capture.

Option A (physical compromise) is plausible in general but describes a physical access attack, not a sniffing technique specific to switched environments - the question asks about the method used within the switched network context. Option C (Trojan horse) is a malware delivery method, not a network-level sniffing technique relevant to the switched topology. Option D is incorrect because passive sniffing only works on hub-based networks where traffic is broadcast naturally; on a switched network, passive sniffing alone would only capture traffic destined for the attacker's port.

Memory Tip: Think of MAC flooding as "confusing the switch into acting like a hub" - remember "Flood the table, sniff the cable." Whenever you see switched network + sniffing, think CAM table overflow = MAC flooding.

Topics

#Sniffing#Switched Networks#MAC Flooding#Network Attacks

Community Discussion

No community discussion yet for this question.

Full 312-50V13 Practice