Flood network with random MAC addresses with macof tool


Before you can be a badass hacker you need to understand what exactly it is your doing.  Today’s Lesson is on flooding a network with random MAC addresses.

Switch Behavior
If you fill up a switches table with random mac addresses different vendors switches will behave differently.

Cisco switches will keep original MAC address on its table and will only remove them if they time out. However many other switches will let their entire table get filled up with fake addresses! This is beneficial to you if you wish to receive traffic intended for other people!

What is the point of filling up switches table with fake make addresses? It forces the switch to become a hub (and you as an attacker can now see traffic on every port as all packets are now broadcasted)

Flooding a VLAN
You can group a number of ports on a switch together and say they are part of a VLAN (they are logically separated from other VLANs). Why is this helpful? Broadcast packets will only occur within the same VLAN (Even they are on the same switch).

Most switches today do not have separate tables for each VLAN. Flooding a single VLAN would force all other VLANs to flood as well (just flood their own VLAN). Why? Because if the shared table is full than each VLAN no longer knows what ports legitimate MAC address(es) are on.. so they must broadcast.



macof [-i interface] [-s src] [-d dst] [-e tha] [-x sport] [-y dport] [-n times]


macof floods the local network with random MAC addresses (causing some switches to fail open in repeating mode, facilitating sniffing). A straight C port of the original Perl Net::RawIP macof program by Ian Vitek <[email protected]>.


-i interface Specify the interface to send on.
-s src Specify source IP address.
-d dst Specify destination IP address.
-e tha Specify target hardware address.
-x sport Specify TCP source port.
-y dport Specify TCP destination port.
-n times Specify the number of packets to send.

Values for any options left unspecified will be generated randomly.

yersinia.net is another tool

Because macoff generates random MAC addresses it sometimes generates MAC addresses that are not valid (in which case those packets will be dropped). Flood network!

2 comments to Flood network with random MAC addresses with macof tool

  • Ian Vitek

    So it still works!?
    //Ian Vitek

    • ssstonebraker

      I created this post as a note to myself (from as class lecture). My plan was to test it at some point, i have not tested it yet. The slide was part of a lecture they are teaching at DePaul for class TDC577 – Network Security II. I’ve included a screenshot of the slide below =).

Leave a Reply

To create code blocks or other preformatted text, indent by four spaces:

    This will be displayed in a monospaced font. The first four 
    spaces will be stripped off, but all other whitespace
    will be preserved.
    Markdown is turned off in code blocks:
     [This is not a link](http://example.com)

To create not a block, but an inline code span, use backticks:

Here is some inline `code`.

For more help see http://daringfireball.net/projects/markdown/syntax

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>