Re: Why can I see other traffic at switch environment just tcpdump?

[Darryl Luff <dluff () iitscdm com au>]

SB CH wrote:

> I have operated linux server at switch environment,
> and just with tcpdump, I can see some other traffic whic is not
> related with me without any other tool or trick.
>
> it means that I can sniff traffic without special sniffing tool at the
> switch , right? is it possible?
> but it's ture.

Without the use of special tools (hunt etc) switches will send traffic
to ports the destination is NOT on in a few different circumstances.
- You're on a monitor port that has been set to receive copies of other
traffic (so you'll receive all traffic to/from ports that are being
monitored),
- The switch doesn't know which port a destination device is on so it
sends (floods) the packet out all ports (so you should only see the
first couple of packets in a connection),
- The bridging table of the switch is full so it gives up and floods the
traffic (so your reception could be unreliable).
- Changing spanning tree topologies.
- All switches seem to leak a bit so you do see the odd packet you
shouldn't. Probably more likely if it's busy???

and probably others. Switches filter traffic for performance reasons,
any security benefits are a (very) small unreliable bonus.

> for example,
> # tcpdump port 80
> 15:03:42.681171 eth0 P 211.47.130.114.1131 > 211.47.1.55.www: S my
> system has no relations with 211.47.130.114 or 211.47.1.55.
> just switch connected together with 211.47.1.55.


Darryl Luff
dluff () iitscdm com au



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com