RE: Network sniffing on the wire - managed switches

["David Gillett" <gillettdavid () fhda edu>]

  It's called "arp cache poisoning", and it's nasty.

  Switches send packets to destination ports based on the
destination MAC address of the packet, which will be set 
according to the packet sender's arp cache entry for the
destination host.  So if the sender believes the destination's
MAC address is either (a) YOUR MAC address, or (b) a broadcast
address, then the switch(es) will deliver that packet to your
sniffer.  Of course, if sent to your MAC address, it's up to 
you to deliver the packet to the intended destination, or risk
discovery.

  Note that using broadcast addresses in this process can dramatically
impact network performance, also tending to lead to discovery....

David Gillett
CISSP CCNP


> -----Original Message-----
> From: Tom Yarrish [mailto:tom () yarrish com] 
> Sent: Friday, December 26, 2008 11:11 AM
> To: security-basics () securityfocus com
> Subject: Network sniffing on the wire - managed switches
>
> Hey all,
> This may come off as somewhat of a newbie question, but it's 
> one I've been curious about.
>
> When you are doing any sort of pen testing or sniffing on the 
> wire, how do you handle a managed switch scenario.  If you're 
> connected to a switch on one port, how can you monitor the 
> traffic on the the other ports if you're not in a monitor 
> mode?  I've never understood how you can sniff traffic other 
> than the traffic from your machine to a destination.
>
> Thanks ahead of time,
> Tom