Security Basics mailing list archives

RE: Caching a sniffer

From: "Shawn Jackson" <sjackson () horizonusa com>
Date: Tue, 23 Mar 2004 10:20:48 -0800

If you have a decent network switch in your environment
you can disable all it's port to allow promiscuous mode across the 
network.

From this text I got Port Mirroring, (SPAN). Now you can use MacOff

(or another MAC flooder) to overload the MAC table in a switch and turn 
on promiscuous mode which will allow you to sniff the network.

I'm aware of SPAN, of course.  I use it routinely to *enable* sniffing,

not PREVENT it.  (I took "Caching" to be an obvious misspelling of 
"Catching" -- was that my mistake?)


No clue, I just caught the last part of this thread, detailed above. But
you're right, SPAN/Port Mirroring allows you to selective monitor a
ports
traffic by forwarding a real-time copy of that traffic to a monitor
port.

What I don't see is how it can be described as "disable all it's 
port to allow promiscuous mode across the network", which sounds 
like maybe it means a switch command to either prevent client 
devices from going into promiscuous mode, or shut down the switch 
ports of clients who do.  If such a command existed, it would be 
a great way to prevent users from sniffing each other's traffic, 
but I don't believe it does.


In essence if you flood the MAC table of a switch the switch will turn
into a hub, thus "disabling the switch component of the ports". You
could
argue that turning on SPAN/Port Mirroring is also disabling the 'switch'
part
of that concerned port. 

To my knowledge, though not very extensive, I know of no command/system 
in switches to detect a NIC/Adapter in promiscuous mode and disable the
port.

Shawn Jackson
Systems Administrator
Horizon USA
1190 Trademark Dr #107
Reno NV 89521

www.horizonusa.com
Email: sjackson () horizonusa com
Phone: (775) 858-2338
       (800) 325-1199 x338

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

Current thread:

[Full-Disclosure] Caching a sniffer; Re:, (continued)
- [Full-Disclosure] Caching a sniffer; Re: Kenton Smith (Mar 11)
- Re: Caching a sniffer Bob Radvanovsky (Mar 11)
- Re: Caching a sniffer Fernando Gont (Mar 17)
  - Re: Caching a sniffer ksaenz (Mar 22)
    - RE: Caching a sniffer David Gillett (Mar 23)
    - Re: Caching a sniffer Fernando Gont (Mar 24)
- RE: Caching a sniffer Chris Merkel (Mar 11)
- RE: Caching a sniffer Shawn Jackson (Mar 23)
  - RE: Caching a sniffer David Gillett (Mar 24)
  - Re: Caching a sniffer Patrick Toomey (Mar 24)
- RE: Caching a sniffer Shawn Jackson (Mar 24)
  - RE: Caching a sniffer Burton M. Strauss III (Mar 25)
  - RE: Caching a sniffer Fernando Gont (Mar 25)
- RE: Caching a sniffer Shawn Jackson (Mar 24)
  - RE: Caching a sniffer David Gillett (Mar 24)
    - RE: Caching a sniffer Fernando Gont (Mar 25)
    - RE: Caching a sniffer David Gillett (Mar 25)
  - RE: Caching a sniffer Fernando Gont (Mar 25)
- RE: Caching a sniffer Shawn Jackson (Mar 25)
  - RE: Caching a sniffer David Gillett (Mar 25)
- RE: Caching a sniffer Shawn Jackson (Mar 25)

(Thread continues...)