Security Incidents mailing list archives
Re: Why can I see other traffic at switch environment just tcpdump?
From: Kelly Martin <kmartin () pyrzqxgl org>
Date: Tue, 08 Oct 2002 22:37:47 -0500
SB CH wrote:
Hello, all I have operated linux server at switch environment, and just with tcpdump, I can see some other traffic whic is not related with me without any other tool or trick. it means that I can sniff traffic without special sniffing tool at the switch , right? is it possible? but it's ture.
Switches do not guarantee that all traffic will be sent point-to-point only. If the switch does not know (for whatever reason) which of its ports is hosting a given destination MAC address, it will generally flood that frame to all ports. On a very busy (especially on a switch on a large LAN), this may happen quite frequently, and can be forced on virtually any switch (not specifically configured for port security) by the use of cache poisoning techniques. Switches should not be relied on as a security mechanism unless the switch specifically has (and has been configured to use) port security by the use of static assignment of MAC addresses to ports. Kelly ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Why can I see other traffic at switch environment just tcpdump? SB CH (Oct 08)
- Re: Why can I see other traffic at switch environment just tcpdump? Kelly Martin (Oct 08)
- RE: Why can I see other traffic at switch environment just tcpdump? Rob Shein (Oct 09)
- Re: Why can I see other traffic at switch environment just tcpdump? Darryl Luff (Oct 09)
- Re: Why can I see other traffic at switch environment just tcpdump? Kelly Martin (Oct 08)