Security Basics mailing list archives
RE: Caching a sniffer
From: "Paul Blackstone" <paul () 4-sc net>
Date: Thu, 25 Mar 2004 14:19:06 -0500
Or unless the person uses something like D-Sniff or one of the other similar tools. ;) Paul -----Original Message----- From: Andrew Shore [mailto:andrew.shore () holistecs com] Sent: Thursday, March 25, 2004 4:15 AM To: Shawn Jackson; Patrick Toomey Cc: security-basics () securityfocus com; ksaenz () spinaweb com au; gillettdavid () fhda edu Subject: RE: Caching a sniffer A switch is not a hub/router. In fact it is a micro segmented bridge. A switch operates at layer 2 of the OSI model ie MAC address layer. If a device is plugged into a switch port it will only see traffic sent to it (and broadcasts) it will not be able to see all the traffic on the network, ie between other PCs and the servers. Span ports (or mirror ports) are a debugging tool which can be enabled on switches to allow engineers to look at what traffic is on a given vlan or other port. Therefore if someone has plugged a scanner into a network point they will not be able to sniff any useful information from the network unless that person has admin access to the switch. You can check this by ensuring that none of the ports on the switches are in span mode Andrew Shore CISSP CCNP MCSE RHCE CCSE Senior Security Specialist DDI. 01302 308 165 andrew.shore () holistecs com Company Number 04943010 VAT Number 828 8635 82 Holistic Technologies Ltd Unit 7 Shaw Wood Business Park Shaw Wood Way Doncaster South Yorkshire DN2 5TB T. 0870 240 1442 F. 0870 240 1443 www.holistecs.com -----Original Message----- From: Shawn Jackson [mailto:sjackson () horizonusa com] Sent: 24 March 2004 16:25 To: Patrick Toomey Cc: security-basics () securityfocus com; ksaenz () spinaweb com au; gillettdavid () fhda edu Subject: RE: Caching a sniffer
It was my understanding that port mirroring was introduced because of the inherent differences between a switched environment and a hub
environment. Correct.
If someone is running a sniffer on your switched network and has the
ability
to login to your switch, enable port mirroring, and sniff data, you
have
much bigger problems than just having a rogue sniffer on the network.
Incorrect. A switch is basically a hub and router in one. You can flood the MAC address table of the switch, where is decides what port has what MAC's on it so it knows what port to route the traffic to. Once the table is full switches then 'turn-off' the routing/switching systems and the switch then becomes a hub. There is a program called macoff that does this. So you don't need to have access to the switch to sniff the entire network. Shawn Jackson Systems Administrator Horizon USA 1190 Trademark Dr #107 Reno NV 89521 www.horizonusa.com Email: sjackson () horizonusa com Phone: (775) 858-2338 (800) 325-1199 x338 ------------------------------------------------------------------------ --- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- RE: Caching a sniffer, (continued)
- RE: Caching a sniffer David Gillett (Mar 24)
- RE: Caching a sniffer Fernando Gont (Mar 25)
- RE: Caching a sniffer David Gillett (Mar 25)
- RE: Caching a sniffer David Gillett (Mar 24)
- RE: Caching a sniffer Fernando Gont (Mar 25)
- RE: Caching a sniffer Shawn Jackson (Mar 25)
- RE: Caching a sniffer David Gillett (Mar 25)
- RE: Caching a sniffer Shawn Jackson (Mar 25)
- RE: Caching a sniffer David Gillett (Mar 25)
- RE: Caching a sniffer Shawn Jackson (Mar 25)
- RE: Caching a sniffer Andrew Shore (Mar 25)
- RE: Caching a sniffer Paul Blackstone (Mar 25)
- RE: Caching a sniffer Byron Copeland (Mar 26)
- Re: Caching a sniffer Aaron (Mar 29)
- RE: Caching a sniffer Paul Blackstone (Mar 25)
- RE: Caching a sniffer David Gillett (Mar 25)
- RE: Caching a sniffer David Gillett (Mar 26)
- RE: Caching a sniffer David Gillett (Mar 25)