Since any 'normal' request will be built up correctly by the help of our operating system - there is always just a single MAC available per network interface. To do so we have to operate directly on the data link layer of the OSI reference model. We would like to make the switch believe that there are more computers connected to it than he can remember.

So our network looks like the diagram above. In addition, modern switches may be configured using so-called port security, so it is of course possible to eliminate such an attack at it's root cause. The switches should be able to recover from the attack automatically using the MAC table aging method Since the switches CAM tables are finite, at some point in time the switch cannot remember the different source addresses and therefore is out of service. So the only thing to do is to flood the network with frames originating from different MAC addresses. But when there are more clients than the switch can remember, the layer 2 frames are send on every port and you may sniff the whole traffic - or the whole network breaks due to exponentially increasing traffic. Usually a switch remembers which client (MAC address) is connected to which port. It's some kind of denial of service attack.