Penetration Testing mailing list archives
Re: Port mirroring detection
From: Michael Richardson <mcr () sandelman ottawa on ca>
Date: Tue, 14 Dec 2004 21:45:00 -0500
-----BEGIN PGP SIGNED MESSAGE-----
"John" == John Madden <chiwawa999 () yahoo com> writes:
John> More of a suspicion... John> I've asked the question to our administrators but John> let's just say I want to check for myself. How many ports can you control? One a system with a suspected span port, turn on promisc. Send a packet with the wrong MAC for the system, but layer-3 unicast to that system. See if you get a response. If the system with the span port is trying to be stealthy (which ultimately, can mean that the Tx pair is cut...) they you may be out of luck. *SOME* switches will flow control the traffic if the mirror port is going to overflow. So, if you have 4 additional ports, and you can set up two full bandwidth streams between them, *AND* the switch does the flow control you, then you may not see full bandwidth. (More likely in GigE) - -- ] ON HUMILITY: to err is human. To moo, bovine. | firewalls [ ] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[ ] mcr () xelerance com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[ ] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Finger me for keys iQCVAwUBQb+lK4qHRg3pndX9AQG4WAQAs1SK1xIUk+yOMAnlL0zjuPSC+zLSXTIM vpffSE6hcVFdqqHphiIQy+dd/Fu8Mv7JUFiUfHbZV4PNCds971jaXDAHJ0iy4pP6 zCQgXBd6TIuRU2BYq2DzuGBsmRrnLokNQNOgc/H13EQEBVYalwnHoGe8UhlDFk7J 74UOOQ1KoVM= =Ep5x -----END PGP SIGNATURE-----
Current thread:
- Port mirroring detection John Madden (Dec 14)
- RE: Port mirroring detection Jim Tuttle (Dec 15)
- RE: Port mirroring detection John Madden (Dec 15)
- Re: Port mirroring detection Michael Richardson (Dec 15)
- RE: Port mirroring detection John Madden (Dec 15)
- <Possible follow-ups>
- RE: Port mirroring detection Milind Nanal (Dec 15)
- RE: Port mirroring detection Lachniet, Mark (Dec 15)
- RE: Port mirroring detection Jim Tuttle (Dec 15)