Introduction
Learn how to use MAC Flooding to sniff traffic and ARP Cache Poisoning to manipulate network traffic as a MITM.
While it’s not required, ideally, you should have a general understanding of OSI Model Layer 2 (L2) network switches work, what a MAC table is, what the Address Resolution Protocol (ARP) does, and how to use Wireshark at a basic level. If you’re not comfortable with these topics, please check out the Network and Linux Fundamentals modules and Wireshark room.
Sniffing on a Switched Network

Using a network diagram with devices connected to a switch, Sniffers can monitor only traffic directed to or from the port being sniffed. The scenario in the video below illustrates limitations in observing traffic not intended for the attacker.
Tools Used for Sniffing
Wireshark is introduced as a GUI tool, and tcpdump as a command-line alternative. The process of selecting an interface, starting a capture, and outputting to a .pcap file is demonstrated. These tools are critical for visibility into packet-level data.
MAC Address Flooding: Making Sniffing Evil
The concept of “evil sniffing” is introduced with the MAC flooding technique. By flooding a switch with fake MAC addresses using tools like macof, the switch memory overflows and enters a fail-open mode, reverting to hub-like behavior and broadcasting all traffic. This enables sniffing across the entire network.
ARP Spoofing: Core of MITM
The MITM section starts by explaining ARP (Address Resolution Protocol) spoofing, where the attacker sends forged ARP messages to associate their MAC address with the IP of a legitimate gateway. This causes other devices to send their traffic through the attacker.
Ettercap for MITM
Ettercap is used in the demo to launch ARP spoofing, capture traffic, and even manipulate it using filter scripts. The video details the use of -T
, -i
, -m
, and -w
flags and how to gracefully exit using q
, which resets ARP tables to avoid disruption.
Intercepting Sensitive Data

The captured data includes credentials exchanged over HTTP. Using Wireshark’s filters, the video shows how to extract usernames and passwords from the Authorization header. The vulnerability of HTTP traffic is highlighted, reinforcing the need for HTTPS.
Manipulating Data via Filters
An advanced segment involves creating custom Ettercap filters to alter transmitted commands. For example, replacing a “whoami” command with “cat /root/flag.txt”. This showcases how MITM attacks can escalate to direct system compromise if not properly contained.
TryHackMe L2 MAC Flooding & ARP Spoofing | Room Answers
What’s the network’s CIDR prefix?
How many other live hosts are there?
What’s the hostname of the first host (lowest IP address) you’ve found?
Who keeps sending packets to eve?
What type of packets are sent?
What’s the size of their data section? (bytes)
What kind of packets is Alice continuously sending to Bob?
What’s the size of their data section? (bytes)
Would you expect a different result when attacking hosts without ARP packet validation enabled? (Yay/Nay)
Which machine has an open well-known port?
What is the port number?
Can you access the content behind the service from your current position? (Nay/Yay)
Can you see any meaningful traffic to or from that port passively sniffing on you interface eth1? (Nay/Yay)
Now launch the same ARP spoofing attack as in the previous task. Can you see some interesting traffic, now? (Nay/Yay)
Who is using that service?
What’s the hostname the requests are sent to?
Which file is being requested?
What text is in the file?
Now, stop the attack (by pressing q). What is ettercap doing in order to leave its man-in-the-middle position gracefully and undo the poisoning?
Can you access the content behind that service, now, using the obtained credentials? (Nay/Yay)
What is the user.txt flag?
You should also have seen some rather questionable kind of traffic. What kind of remote access (shell) does Alice have on the server?
What commands are being executed? Answer in the order they are being executed.
Video Walk-Through