What Is Dsniff And How To Get Rid Off Dsniff ?

dsniff hacker

It is time to take a look at some security issues. One of the common attacking methods implemented by hackers is : Dsniff. So we need to answer “what is dsniff” , “how dsniff works” , “how we can get rid off dsniff” and etc.


This is how dsniff works:  Hacker sends lots of MAC sources to the switch port.So MAC address table increases , increases and increases till infinite ! After a time, switch can’t learn more MAC addresses and starts to behave like a “hub” and forwards all packets to all ports and attacker can get this information ! Oh my god it sounds terrible right ? Yup but we have chances to survive from dsniff. First way we can do about this issue is implementing “port security” to our switch ports.


SWITCH_A(conf)#interface Fa0/21
SWITCH_A(conf-if)#switchport mode access
SWITCH_A(conf-if)#switchport port-security
SWITCH_A(conf-if)#switchport port-security maximum 1

This is how we implement port-security to a switch port ( in this example fa0/21 ) . Here we just let 1 MAC-Adress to the switch port. If two devices ( MACs ) want to connect from this switch port ( via a hub or another switch or etc ) switch port shuts down itself ! It gets into the error-disable mode and nothing works.

Awesome ha ?  If we are sure that network is safe anymore , we should the the configuration below to make the f0/21 up again :

SWITCH_A(conf)#interface Fa0/21
SWITCH_A(conf-if)#no shutdown


After this configuration, port won’t be in error-disable mode anymore.


Static MAC address is another way to get rid of Dsniff. With the configuration below, we are providing that only the device with “Mac-address 1111.1111.1111” can work from fa0/21.


SWITCH_A(conf)#interface Fa0/21
SWITCH_A(conf-if)#switchport port-security mac-address 1111.1111.1111


Leave a Reply

Your email address will not be published. Required fields are marked *