The attacker is on the same subnet as the target system.

Variants:

1) The attacker could send Gratuitous ARP (GARP) to clam that the attacker’s Layer 2 MAC address is the MAC address of the nex-hop router. So, the attacker would capture all the traffic and forward it to the legitimate next-hop router.

2) The attacker can connect a hub to the network segment that carries the traffic the attacker wants to capture.

3)The attacker could connect to a Switch Port Analyzer (SPAN) port to capture all the traffic.

The attacker is on a different subnet than the destionation host.

The attacker sends an IP packet with a source route specified in the IP header. This causes the destination host to send traffic back to the spoofed IP address via the route specified.

TCP Three-Way Handshake

The attacker needs to know the TCP sequence numbers used in the TCP segments so that he can send a properly constructed ACK segment to the destination. If the attacker’s ACK segment reaches the destionation before the originator’s ACK segment does, the attacker becomes trusted by destionation.