RE: sniffing packets on a switch

[Brad Davenport <BDavenport () scan-direct com>]

On Cisco's switches you can use the SPAN feature to send a mirror of data
received on a given port to another port.

IE, your firewall port is spanned to another switchport to allow your IDS to
sample all incoming data destined for the trusted net.

--BD

-----Original Message-----
From: David Gillett [mailto:gillettdavid () fhda edu] 
Sent: Monday, March 10, 2003 11:02 AM
To: security-basics () securityfocus com
Subject: RE: sniffing packets on a switch

  Do you know what kind of problems?

  The most obvious problem with doing this is that, by
default, your sniffer machine's port on the switch will
only be sent traffic that is either broadcast, or addressed
specifically to the sniffer host.
  Most switches offer a way that the switch administrator 
can direct that traffic for one or more other ports be 
copied to the sniffer's port.  That's not a sniffer 
program issue.

  There *are* ways to try that may make this happen if
you don't have administrative access to the switch, and
there might even be some tools around that automate
such measures.  But on most well-run networks, people
without admin access to things like switches are also not
authorized to be running sniffers, so let's not go there
in a public forum....

David Gillett


> -----Original Message-----
> From: Scott Borre [mailto:sfborre () yahoo com]
> Sent: March 7, 2003 15:55
> To: security-basics () securityfocus com
> Subject: sniffing packets on a switch
>
>
> I am interested in what people recommend using to
> sniff packets on a switch. I have heard that TCPdump
> has some problems doing this. Thank you ahead of the
> time for any assistance.