Re: switch jamming

[Todd Suiter <todd () s4r com>]

Or:

        Most models of cisco switchen and extreme networks switchen
have the option to 'mirror' ports. I'm not that familiar with
the cisco side of things, so will focus on the extreme's. You can
mirror either a set or all ports on a given switch, to one port on
said switch, which can then be 'sniffed' in the usual fashion.

so 48 port switch, minus 1 port for the 'mirror' port, leaves
you 47 100Mb ports to sniff.

On Wed, 30 Jan 2002, Sebastian Jaenicke wrote:

> Hi,
>
> On Wed, Jan 30, 2002 at 10:05:08PM +0000, Jan wrote:
> [..]
> > how can i sniff upon a switched network segment ? a read some articles about "switch jamming" and "port mirroring" 
> > but up to know i didn't learn anything special at all.
> > ca some of your guys out there help me ? (i'm sure some of you can but are you willing, too ?)
>
> This can be achieved by flooding the switch with spoofed ARP packets until
> its internal MAC table is filled up - most switches will then revert to
> "hub mode" and therefore broadcast all traffic to the network where it
> can easily be sniffed.
>
> http://www.sans.org/newlook/resources/IDFAQ/switched_network.htm should
> give you some (more accurate?) information.
>
> Sebastian
> --
> Sebastian Jaenicke
> whois pgpkey-18AC0BE4 () whois ripe net|perl -ne's-^certif: +--&&print'
>   "Object-oriented programming is an exceptionally bad idea which
>    could only have originated in California." --Edsger Dijkstra