The key indicator is that the switch’s CAM table was overwhelmed and the attacker’s machine started receiving traffic not originally destined for it. That is the hallmark of MAC flooding. Switches maintain a CAM (Content Addressable Memory) table mapping MAC addresses to switch ports. Under normal conditions, this allows a switch to forward frames only to the correct destination port (unicast switching). In a MAC flooding attack, the attacker sends a large volume of frames with many spoofed source MAC addresses, rapidly filling the CAM table. Once the table is full, the switch may fail open for unknown unicast traffic and begin broadcasting (flooding) frames out multiple ports, similar to a hub-like behavior. This causes unintended packet exposure and allows the attacker to capture traffic from other hosts, enabling sniffing of multiple sessions.
The scenario explicitly mentions switch instability, traffic leakage, receiving packets not destined for the attacker, and CAM table exhaustion—these are directly aligned with MAC flooding mechanics.
Why the other options don’t match as well:
ARP poisoning (C) is a man-in-the-middle technique that manipulates ARP caches to redirect traffic through the attacker. It does not typically overwhelm the switch’s CAM table, and the symptom is traffic redirection rather than CAM exhaustion.
VLAN hopping (B) is a VLAN segmentation bypass (e.g., switch spoofing or double-tagging) and is about crossing VLAN boundaries, not causing CAM table overflow and switch-wide flooding behavior. The mention of multiple VLANs seeing leakage could be a downstream consequence of flooding/misconfiguration, but the decisive clue is CAM table overload.
DNS poisoning (A) targets name resolution and would not produce CAM table exhaustion or switch instability.
Therefore, Sarah most likely used D. MAC Flooding.
