RE: Caching a sniffer

["David Gillett" <gillettdavid () fhda edu>]

> Incorrect. A switch is basically a hub and router in one.

  ... if you redefine "router" to include a concept similar to
"layer 2 router", at which many people will look at you rather
strangely.  The term normally refers to a layer 3 packet-forwarder
which rewrites packets, whereas switches are multiport bridges
that forward frames, without rewriting, based on the destination 
MAC address.

> You can flood the MAC address table of the switch, where it 
> decides what port has what MAC's on it so it knows what port 
> to route the traffic to. Once the table is full switches then 
> 'turn-off' the routing/switching systems and the switch then
> becomes a hub. There is a program called macoff that does this. 
> So you don't need to have access to the switch to sniff the 
> entire network.

  Switches "learn" what MAC addresses are on what port by collecting
source addresses from frames into a table.  Traffic will be flooded
to all ports if the destination MAC address is not in the table.
  I presume that some switches, faced with something like macoff, will
overflow the table such that legitimate addresses that should have been 
learned start flooding to all ports as well.
  But this is not the only possible reaction of a switched network to 
macoff!  If Cisco's port security is enabled, the switch may just shut 
down the port running macoff.  If the network consists of multiple
switches, something like macoff may prompt a spanning-tree reconvergence,
disrupting the entire network for 30 seconds or so.  I'm sure there
are other possibilities depending on manufacturer/model/firmware of the
switches in the network.

  Personally, if I had to sniff traffic on a switched network without
admin access, I'd prefer to use arp poisoning, a la ettercap.  The
MAC address tables on the switches go right on functioning normally,
just all of the traffic to/from the client you're interested in gets
sent to the sniffer machine's MAC address and forwarded to the intended
destination from there, with minimal impact on other network traffic
or performance.  About the only visibility is if the victim happens to
run "arp -a" and understands what they're seeing.

David Gillett


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------