RE: switch jamming

["Henniges, Matthew (ISS)" <MHenniges () exchange ml com>]

It depends on whether you have ownership (or control) of the switch or not.

If you do, then the easiest way is to 'span' the ports/vlans you want to sniff on to the port that your sensor is 
plugged in to. Spanning is not an industry-wide feature, I'm not sure if any switch
manufacturers other than Cisco support a similar feature.

Or, if the device you are sniffing on can understand, or at least strip, 802.1q tags, you can plug your sniffer into a 
trunk port.

If you don't control the switch there are various ways to make other ports visible.

Arp cache poisoning targeting the hosts or the routers works in some cases, as does fooling the switch into making 
multiple CAM entries for your port by changing your L2 address.

There probably resource exhaustion attacks that will through a port (or blade?) in to a broadcast mode, but I've never 
seen one successfully executed.

As with all things YYMV; I've noticed that different firmware/IOS versions can have a great effect on the effectiveness 
of all these techniques.

Regards-

Matthew B. Henniges
Security Engineering
Internet Support Services
Merrill Lynch


-----Original Message-----
From: DrKimble () t-online de [mailto:DrKimble () t-online de] 
Sent: Wednesday, January 30, 2002 5:05 PM
To: vuln-dev () securityfocus com
Subject: switch jamming

hi guys,

actually i have been reading the discussions on your board for quite a long time, but this is my first own posting - so 
please be fair on me ;-))
at the moment my boss is planning a firm which will take care of firm networks and so we discussed several topics. 
that's where my question starts:
how can i sniff upon a switched network segment ? a read some articles about "switch jamming" and "port mirroring" but 
up to know i didn't learn anything special at all.
ca some of your guys out there help me ? (i'm sure some of you can but are you willing, too ?)

best regards,
jan