Re: ethereal capture

["ericbrouwers" <ericbrouwers () vodafone nl>]

You may see following traffic:
- broadcasts
- specific multicasts
- mirrored traffic (if enabled)
- flooded traffic: if the dest. MAC is not in the MAC table, the switch
forwards the frame to all all ports, except to the port from which the frame
came!!!

Hope this helps,

Eric

----- Original Message -----
From: "Cat Thrasher" <isd607 () co santa-cruz ca us>
To: <security-basics () securityfocus com>
Sent: Thursday, September 18, 2003 1:17 AM
Subject: ethereal capture


Hi, Please advise on my question.
I thought when you are sniffing a switched segment, you are only seeing
broadcast traffic. I see source Workstation(not the one I am monitoring
on)--Dest Webserver inside on my network and protocol http. Please tell me
if this is usual.

I have ethereal on a laptop. I did a port monitor on a Cisco Switch and
captured traffic from one port. (so I thought) I thought I'd only see what
the workstation on port fast ethernet 0/ 38 was doing. But like I said
above, I see lots of http conversations and tcp conversations where the dest
port is not all F's, or 255's. And the source is not the workstation on the
port I am monitoring.

Thanks alot.


Cat Thrasher

---------------------------------------------------------------------------
Captus Networks
Are you prepared for the next Sobig & Blaster?
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Precisely Define and Implement Network Security
 - Automatically Control P2P, IM and Spam Traffic
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------




---------------------------------------------------------------------------
----------------------------------------------------------------------------