Which indicator most strongly confirms a MAC flooding attack?

MAC flooding is a Layer 2 attack described in CEH v13 Network and Perimeter Hacking, where attackers overwhelm a switch’s CAM table with fake MAC addresses. Once the table is full, the switch behaves like a hub, forwarding traffic to all ports.

The most definitive indicator of MAC flooding is numerous MAC addresses learned on a single switch port, which is abnormal behavior in a properly segmented network. CEH v13 identifies this condition as a key forensic indicator of CAM table exhaustion.

ARP anomalies may occur, but they are more commonly associated with ARP spoofing attacks. IP-to-MAC inconsistencies indicate MITM attacks, not MAC flooding.

Thus, option C is the clearest confirmation.