RE: Caching a sniffer

["David Gillett" <gillettdavid () fhda edu>]

> -----Original Message-----
> From: Fernando Gont [mailto:fernando () gont com ar]
> Sent: Wednesday, March 24, 2004 2:27 PM
> To: gillettdavid () fhda edu; security-basics () securityfocus com
> Subject: RE: Caching a sniffer
>
>
> At 08:58 24/03/2004 -0800, David Gillett wrote:
>
> >   I presume that some switches, faced with something like 
> macoff, will
> > overflow the table such that legitimate addresses that 
> should have been
> > learned start flooding to all ports as well.
> >   But this is not the only possible reaction of a switched 
> network to
> > macoff!  If Cisco's port security is enabled, the switch may 
> just shut
> > down the port running macoff.
>
> How does it detect this? By realizing that frames from a 
> given port come 
> from several different MAC source addresses?

  Exactly.  The configurable parameters for port security are:

1.  Maximum number of different source MAC addresses to be seen
    from this port.

2.  Action to be taken (alert, or shutdown port) when this limit
    is exceeded.

David Gillett



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------