Security Incidents mailing list archives

Re: Why can I see other traffic at switch environment just tcpdump?


From: Kelly Martin <kmartin () pyrzqxgl org>
Date: Tue, 08 Oct 2002 22:37:47 -0500

SB CH wrote:

Hello, all

I have operated linux server at switch environment,
and just with tcpdump, I can see some other traffic whic is not related 
with me without any other tool or trick.

it means that I can sniff traffic without special sniffing tool at the 
switch , right? is it possible?
but it's ture.

Switches do not guarantee that all traffic will be sent point-to-point
only.  If the switch does not know (for whatever reason) which of its
ports is hosting a given destination MAC address, it will generally
flood that frame to all ports.  On a very busy (especially on a switch
on a large LAN), this may happen quite frequently, and can be forced on
virtually any switch (not specifically configured for port security) by
the use of cache poisoning techniques.

Switches should not be relied on as a security mechanism unless the
switch specifically has (and has been configured to use) port security
by the use of static assignment of MAC addresses to ports.

Kelly


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


Current thread: