Vulnerability Development mailing list archives
RE: switch jamming
From: "Henniges, Matthew (ISS)" <MHenniges () exchange ml com>
Date: Wed, 30 Jan 2002 17:34:24 -0500
It depends on whether you have ownership (or control) of the switch or not. If you do, then the easiest way is to 'span' the ports/vlans you want to sniff on to the port that your sensor is plugged in to. Spanning is not an industry-wide feature, I'm not sure if any switch manufacturers other than Cisco support a similar feature. Or, if the device you are sniffing on can understand, or at least strip, 802.1q tags, you can plug your sniffer into a trunk port. If you don't control the switch there are various ways to make other ports visible. Arp cache poisoning targeting the hosts or the routers works in some cases, as does fooling the switch into making multiple CAM entries for your port by changing your L2 address. There probably resource exhaustion attacks that will through a port (or blade?) in to a broadcast mode, but I've never seen one successfully executed. As with all things YYMV; I've noticed that different firmware/IOS versions can have a great effect on the effectiveness of all these techniques. Regards- Matthew B. Henniges Security Engineering Internet Support Services Merrill Lynch -----Original Message----- From: DrKimble () t-online de [mailto:DrKimble () t-online de] Sent: Wednesday, January 30, 2002 5:05 PM To: vuln-dev () securityfocus com Subject: switch jamming hi guys, actually i have been reading the discussions on your board for quite a long time, but this is my first own posting - so please be fair on me ;-)) at the moment my boss is planning a firm which will take care of firm networks and so we discussed several topics. that's where my question starts: how can i sniff upon a switched network segment ? a read some articles about "switch jamming" and "port mirroring" but up to know i didn't learn anything special at all. ca some of your guys out there help me ? (i'm sure some of you can but are you willing, too ?) best regards, jan
Current thread:
- Re: switch jamming, (continued)
- Re: switch jamming Sebastian Jaenicke (Jan 30)
- Re: switch jamming Todd Suiter (Jan 30)
- DoS against DHCP RSnake (Jan 30)
- RE: DoS against DHCP John Stauffacher (Jan 30)
- Re: DoS against DHCP Russell Handorf (Jan 30)
- Re: DoS against DHCP Craig Van Tassle (Jan 30)
- Re: DoS against DHCP Felix Lindner (Jan 31)
- Re: switch jamming Blue Boar (Jan 30)
- RE: switch jamming Ed Moyle (Jan 30)
- Re: switch jamming sean whalen (Jan 30)
- RE: switch jamming Henniges, Matthew (ISS) (Jan 30)
- RE: switch jamming Anthony Gruppuso (Jan 31)
- Re: switch jamming Blue Boar (Jan 31)
- Re: switch jamming ALoR (Jan 31)
- RE: switch jamming Alexander (Jan 31)
- Re: switch jamming Blue Boar (Jan 31)
- RE: switch jamming Toni Heinonen (Jan 31)
- Re: switch jamming blast (Jan 31)
- RE: switch jamming blast (Jan 31)
- RE: switch jamming Richard Corley (Jan 31)
- Re: switch jamming Sebastian Jaenicke (Jan 30)