Security Basics mailing list archives

RE: sniffing packets on a switch

From: "David Vertie" <verticalrave () hotmail com>
Date: Fri, 14 Mar 2003 02:24:01 +0000

Port spanning is not recommended for use with an IDS. Actually its notpractical at all. It creates a bottleneck at the IDS, and can drasticallyaffect performance. Some switch providers, such as cisco, have been offeringdedicated "tap" ports that allow you to connect a IDS or multiple IDSes to aswitch.

There are articles on the SecurityFocus website I belive that have mentionedthe issue of port spanning.

There are also multiple articles about creating "one-way" connection cablesfor use with IDSes. I believe that if you can afford the spend for a switchthat has a tap port specifically dedicated for something like this, than itis better that you use that. Going with a spanned port strategy may limityour expandability in the future.

And in reply to the last post..I don't belive that many administrators areeven allowed to sniff traffic. So how you tackle this advice is up to you.


Some previously mentioned into about Ettercap:

Ettercap requires that you use arp poisoning on a switch to sniff traffic.The reason is that a "truly switched" environment runs on its internal arptable, and redefining the arp table in a specific manner will cause a MITM(Man in the middle) attack to occur.

Some list members on SecurityFocus have already downplayed this strategty onuse for large networks, and I so too believe that it could introducemultitides of performance related problems into a big network.

Ettercap is a good tool for research purposes, but I think that its effectscould hurt a corportate network big time. Also, it may trip your IDS intobelieving that an attack is going on, whereas it is only you switching upyour arp tables. If you have multiple administrators at your locale, thanthis could end up defeating an IDS solution pretty much.

So i'm pretty against sniffing up a network, administrator or noadministrator.

But..If you're into this for the research (i've set my foot into this fieldwriting papers on privacy)..If you're looking to test packet injection, Isuggest the use of packit (the author or somebody related just released anew version), it is very highly configurable, and is very customizable.

From: "cpmurphyiii" <cpmurphyiii () hotmail com>

To: "'Brad Davenport'"<BDavenport () scan-direct com>,<gillettdavid () fhda edu>,<security-basics () securityfocus com>

Subject: RE: sniffing packets on a switch
Date: Wed, 12 Mar 2003 21:09:18 -0500

Brad,

You can try to use ettercap. It can be found at
http://freshmeat.net/projects/ettercap/?topic_id=150%2C43.  Very good
utility.  Set up a MITM PC running Linux.  You will sniff all nodes on
the segment.  The tool even offers an ARP poisoning option, which will
allow you to interject your own packets into the transmission.

-----Original Message-----
From: Brad Davenport [mailto:BDavenport () scan-direct com]
Sent: Tuesday, March 11, 2003 1:19 PM
To: 'gillettdavid () fhda edu'; security-basics () securityfocus com
Subject: RE: sniffing packets on a switch

On Cisco's switches you can use the SPAN feature to send a mirror of
data
received on a given port to another port.

IE, your firewall port is spanned to another switchport to allow your
IDS to
sample all incoming data destined for the trusted net.

--BD

-----Original Message-----
From: David Gillett [mailto:gillettdavid () fhda edu]
Sent: Monday, March 10, 2003 11:02 AM
To: security-basics () securityfocus com
Subject: RE: sniffing packets on a switch

  Do you know what kind of problems?

  The most obvious problem with doing this is that, by
default, your sniffer machine's port on the switch will
only be sent traffic that is either broadcast, or addressed
specifically to the sniffer host.
  Most switches offer a way that the switch administrator
can direct that traffic for one or more other ports be
copied to the sniffer's port.  That's not a sniffer
program issue.

  There *are* ways to try that may make this happen if
you don't have administrative access to the switch, and
there might even be some tools around that automate
such measures.  But on most well-run networks, people
without admin access to things like switches are also not
authorized to be running sniffers, so let's not go there
in a public forum....

David Gillett

> -----Original Message-----
> From: Scott Borre [mailto:sfborre () yahoo com]
> Sent: March 7, 2003 15:55
> To: security-basics () securityfocus com
> Subject: sniffing packets on a switch
>
>
> I am interested in what people recommend using to
> sniff packets on a switch. I have heard that TCPdump
> has some problems doing this. Thank you ahead of the
> time for any assistance.



_________________________________________________________________

The new MSN 8: smart spam protection and 2 months FREE*http://join.msn.com/?page=features/junkmail

Current thread:

RE: sniffing packets on a switch, (continued)
- RE: sniffing packets on a switch David Gillett (Mar 11)
- Re: sniffing packets on a switch Valerio Bellizzomi (Mar 12)
- RE: sniffing packets on a switch Hankes, Christopher A (Mar 08)
- RE: sniffing packets on a switch Elkhatib, Ahmad (Mar 08)
- RE: sniffing packets on a switch Fields, James (Mar 10)
  - Re: sniffing packets on a switch Kenzo (Mar 11)
- RE: sniffing packets on a switch Trevor Cushen (Mar 11)
- RE: sniffing packets on a switch Brad Davenport (Mar 12)
  - RE: sniffing packets on a switch cpmurphyiii (Mar 13)
- Re: RE: sniffing packets on a switch govind (Mar 17)
- RE: sniffing packets on a switch David Vertie (Mar 17)