Security Basics mailing list archives
RE: Caching a sniffer
From: "Shawn Jackson" <sjackson () horizonusa com>
Date: Tue, 23 Mar 2004 10:20:48 -0800
If you have a decent network switch in your environment you can disable all it's port to allow promiscuous mode across the network.
From this text I got Port Mirroring, (SPAN). Now you can use MacOff
(or another MAC flooder) to overload the MAC table in a switch and turn on promiscuous mode which will allow you to sniff the network.
I'm aware of SPAN, of course. I use it routinely to *enable* sniffing,
not PREVENT it. (I took "Caching" to be an obvious misspelling of "Catching" -- was that my mistake?)
No clue, I just caught the last part of this thread, detailed above. But you're right, SPAN/Port Mirroring allows you to selective monitor a ports traffic by forwarding a real-time copy of that traffic to a monitor port.
What I don't see is how it can be described as "disable all it's port to allow promiscuous mode across the network", which sounds like maybe it means a switch command to either prevent client devices from going into promiscuous mode, or shut down the switch ports of clients who do. If such a command existed, it would be a great way to prevent users from sniffing each other's traffic, but I don't believe it does.
In essence if you flood the MAC table of a switch the switch will turn into a hub, thus "disabling the switch component of the ports". You could argue that turning on SPAN/Port Mirroring is also disabling the 'switch' part of that concerned port. To my knowledge, though not very extensive, I know of no command/system in switches to detect a NIC/Adapter in promiscuous mode and disable the port. Shawn Jackson Systems Administrator Horizon USA 1190 Trademark Dr #107 Reno NV 89521 www.horizonusa.com Email: sjackson () horizonusa com Phone: (775) 858-2338 (800) 325-1199 x338 --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- [Full-Disclosure] Caching a sniffer; Re:, (continued)
- [Full-Disclosure] Caching a sniffer; Re: Kenton Smith (Mar 11)
- Re: Caching a sniffer Bob Radvanovsky (Mar 11)
- Re: Caching a sniffer Fernando Gont (Mar 17)
- Re: Caching a sniffer ksaenz (Mar 22)
- RE: Caching a sniffer David Gillett (Mar 23)
- Re: Caching a sniffer Fernando Gont (Mar 24)
- Re: Caching a sniffer ksaenz (Mar 22)
- RE: Caching a sniffer Chris Merkel (Mar 11)
- RE: Caching a sniffer Shawn Jackson (Mar 23)
- RE: Caching a sniffer David Gillett (Mar 24)
- Re: Caching a sniffer Patrick Toomey (Mar 24)
- RE: Caching a sniffer Shawn Jackson (Mar 24)
- RE: Caching a sniffer Burton M. Strauss III (Mar 25)
- RE: Caching a sniffer Fernando Gont (Mar 25)
- RE: Caching a sniffer Shawn Jackson (Mar 24)
- RE: Caching a sniffer David Gillett (Mar 24)
- RE: Caching a sniffer Fernando Gont (Mar 25)
- RE: Caching a sniffer David Gillett (Mar 25)
- RE: Caching a sniffer David Gillett (Mar 24)
- RE: Caching a sniffer Fernando Gont (Mar 25)
- RE: Caching a sniffer Shawn Jackson (Mar 25)
- RE: Caching a sniffer David Gillett (Mar 25)
- RE: Caching a sniffer Shawn Jackson (Mar 25)