LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

How does a MAC address table flooding attack work, and what tool is commonly used?

An attacker uses a tool like macof to flood a switch with thousands of frames containing random source MACs (Media Access Control addresses). Once the MAC table is full, the switch floods all traffic out every port — effectively turning it into a hub, allowing the attacker to sniff all traffic.

macof floods random-MAC frames, fills the CAM table, switch floods, attacker sniffs.

* MAC flooding turns the switch into a hub. *

Normal switch operation:

  • Switch receives a frame → learns the source MAC and associates it with the ingress port
  • Switch forwards the frame only out the port associated with the destination MAC
  • This means traffic is isolated — host A can't see traffic between host B and host C

The attack (step by step):

  1. Attacker connects to a switch port and runs macof
  2. macof generates up to 8,000 bogus frames per second, each with a random source MAC
  3. Each fake MAC consumes an entry in the switch's CAM table (Content Addressable Memory)
  4. A typical switch stores 8,000 to 132,000 MAC addresses (Catalyst 6500 stores 132,000)
  5. Within seconds, the table is completely full

What happens when the table is full:

  • The switch cannot learn any new legitimate MAC addresses
  • For any frame with a destination MAC not in the table → switch floods it out all ports on that VLAN (Virtual Local Area Network)
  • The attacker can now capture all traffic on the VLAN using a packet sniffer (Wireshark)

Important limitation: Traffic is only flooded within the local VLAN. The attacker can only capture traffic on the VLAN they're connected to.

Mitigation: Port Security — limits the number of MAC addresses that can be learned on a port. If the limit is exceeded, the port can be shut down.

Go deeper:

From Quiz: NETW2 / LAN Security Concepts | Updated: Jul 05, 2026