Re: Port mirroring detection

[Michael Richardson <mcr () sandelman ottawa on ca>]

-----BEGIN PGP SIGNED MESSAGE-----


> > > > > "John" == John Madden <chiwawa999 () yahoo com> writes:
    John> More of a suspicion...

    John> I've asked the question to our administrators but
    John> let's just say I want to check for myself.

  How many ports can you control?

  One a system with a suspected span port, turn on promisc.
  Send a packet with the wrong MAC for the system, but layer-3 unicast
to that system. See if you get a response.

  If the system with the span port is trying to be stealthy (which
ultimately, can mean that the Tx pair is cut...) they you may be out of
luck.

  *SOME* switches will flow control the traffic if the mirror port is
going to overflow. So, if you have 4 additional ports, and you can set
up two full bandwidth streams between them, *AND* the switch does the
flow control you, then you may not see full bandwidth.
  (More likely in GigE)

- -- 
]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr () xelerance com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQb+lK4qHRg3pndX9AQG4WAQAs1SK1xIUk+yOMAnlL0zjuPSC+zLSXTIM
vpffSE6hcVFdqqHphiIQy+dd/Fu8Mv7JUFiUfHbZV4PNCds971jaXDAHJ0iy4pP6
zCQgXBd6TIuRU2BYq2DzuGBsmRrnLokNQNOgc/H13EQEBVYalwnHoGe8UhlDFk7J
74UOOQ1KoVM=
=Ep5x
-----END PGP SIGNATURE-----