Vulnerability Development mailing list archives

Re: switch jamming

From: Sebastian Jaenicke <tsa () jaenicke org>
Date: Wed, 30 Jan 2002 23:13:14 +0100

Hi,

On Wed, Jan 30, 2002 at 10:05:08PM +0000, Jan wrote:
[..]

how can i sniff upon a switched network segment ? a read some articles about "switch jamming" and "port mirroring" 
but up to know i didn't learn anything special at all.
ca some of your guys out there help me ? (i'm sure some of you can but are you willing, too ?)


This can be achieved by flooding the switch with spoofed ARP packets until
its internal MAC table is filled up - most switches will then revert to 
"hub mode" and therefore broadcast all traffic to the network where it
can easily be sniffed.

http://www.sans.org/newlook/resources/IDFAQ/switched_network.htm should
give you some (more accurate?) information.

Sebastian
-- 
Sebastian Jaenicke
whois pgpkey-18AC0BE4 () whois ripe net|perl -ne's-^certif: +--&&print'
  "Object-oriented programming is an exceptionally bad idea which
   could only have originated in California." --Edsger Dijkstra

Attachment: _bin
Description:

Current thread:

switch jamming Jan (Jan 30)
- Re: switch jamming Securism (Jan 30)
- Re: switch jamming Sebastian Jaenicke (Jan 30)
  - Re: switch jamming Todd Suiter (Jan 30)
- DoS against DHCP RSnake (Jan 30)
  - RE: DoS against DHCP John Stauffacher (Jan 30)
  - Re: DoS against DHCP Russell Handorf (Jan 30)
  - Re: DoS against DHCP Craig Van Tassle (Jan 30)
  - Re: DoS against DHCP Felix Lindner (Jan 31)
- Re: switch jamming Blue Boar (Jan 30)
- <Possible follow-ups>
- RE: switch jamming Ed Moyle (Jan 30)
  - Re: switch jamming sean whalen (Jan 30)
- RE: switch jamming Henniges, Matthew (ISS) (Jan 30)

(Thread continues...)