It's a pretty stupid admin who counts on a station being able to sniff
attacks and then puts the monitoring station behind a switch.
Not that there aren't plenty of stupid admins out there, of course.
But I certainly know if _I_ were counting on my monitoring station
being able to snoop such things I'd make damn sure the switch forwarded
everything to it. (All switches I've seen are capable of this.)
> A filtering hub lets you perform this attack
> ping the two hosts you wish to snoop between.
> Using the mac address you learn via arp send both a unicast arp
> giving yourself as the answer for the other IP address.
"arp info for 0x11223344 overwritten by 01:02:03:04:05:06"
Not that anyone will necessarily notice, of course, but still.
der Mouse
mouse@rodents.montreal.qc.ca
7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B