Capturing Man-in-the-Middle Attack Traffic on a Live Network Environment  
Author Chad Calvert


Co-Author(s) Taghi M. Khoshgoftaar; Clifford Kemp; Maryam M. Najafabadi


Abstract In this paper, we perform penetration testing on a live network environment to capture and analyze Man-in-the-Middle (MITM) traffic. MITM attacks can be used to intercept communications between two machines, thus allowing attackers to spy on and potentially modify the captured information. Such intrusions represent an older attack variant, but due to readily available and easy to access attack tools, are still very much a prevalent threat in modern networks. In this work, we implement three MITM attack variants on a live campus network. This paper outlines both our experimental procedure for implementing each attack type as well as for capturing the aforementioned data. We also discuss the challenges that arise from implementing and capturing such data in a live production environment. The traffic that is produced from our captures consists of real-world representative data and our collection efforts represent the impact that MITM attacks have on the behavior of such traffic. Along with providing a tested framework for implementing and capturing attack data, we also provide insight on the observable behavior the attacks have on the resulting traffic.


Keywords Man-in-the-Middle, ARP Spoofing, DHCP Spoofing, Port Stealing
    Article #:  22203
Proceedings of the 22nd ISSAT International Conference on Reliability and Quality in Design
August 4-6, 2016 - Los Angeles, California, U.S.A.