Security Basics mailing list archives
RE: Network sniffing on the wire - managed switches
From: "David Gillett" <gillettdavid () fhda edu>
Date: Tue, 30 Dec 2008 10:50:01 -0800
It's called "arp cache poisoning", and it's nasty. Switches send packets to destination ports based on the destination MAC address of the packet, which will be set according to the packet sender's arp cache entry for the destination host. So if the sender believes the destination's MAC address is either (a) YOUR MAC address, or (b) a broadcast address, then the switch(es) will deliver that packet to your sniffer. Of course, if sent to your MAC address, it's up to you to deliver the packet to the intended destination, or risk discovery. Note that using broadcast addresses in this process can dramatically impact network performance, also tending to lead to discovery.... David Gillett CISSP CCNP
-----Original Message----- From: Tom Yarrish [mailto:tom () yarrish com] Sent: Friday, December 26, 2008 11:11 AM To: security-basics () securityfocus com Subject: Network sniffing on the wire - managed switches Hey all, This may come off as somewhat of a newbie question, but it's one I've been curious about. When you are doing any sort of pen testing or sniffing on the wire, how do you handle a managed switch scenario. If you're connected to a switch on one port, how can you monitor the traffic on the the other ports if you're not in a monitor mode? I've never understood how you can sniff traffic other than the traffic from your machine to a destination. Thanks ahead of time, Tom
Current thread:
- Re: Network sniffing on the wire - managed switches, (continued)
- Re: Network sniffing on the wire - managed switches ArcSighter Elite (Dec 29)
- Re: Network sniffing on the wire - managed switches Jorge L. Vazquez (Dec 29)
- RE: Network sniffing on the wire - managed switches Burton Strauss III (Dec 29)
- RE: Network sniffing on the wire - managed switches Rui Pereira (WCG) (Dec 30)
- Re: Network sniffing on the wire - managed switches Tom Yarrish (Dec 30)
- Re: Network sniffing on the wire - managed switches Kurt Buff (Dec 29)
- Re: Network sniffing on the wire - managed switches ArcSighter Elite (Dec 30)
- Re: Network sniffing on the wire - managed switches gmail (Dec 30)
- Re: Network sniffing on the wire - managed switches Jorge L. Vazquez (Dec 30)
- DNS Paper Craig Wright (Dec 30)
- Re: Network sniffing on the wire - managed switches ArcSighter Elite (Dec 30)