Vulnerability Development mailing list archives

RE: mac duplication

From: "Burton M. Strauss III" <BStrauss () acm org>
Date: Fri, 12 Dec 2003 14:32:31 -0600

I did the following experiment:

I have a switched ethernet network in my university.
I wanted to capture packets meant for a certain machine on a
different port of a Dlink switch. I thought that arp poisoning
would be too noisy - arpwatch can catch it, & its too bulky for
the MITM machine (in case we are poisoning a heavily loaded
server machine.)
& So i duplicated the mac of the victim machine on my own machine.


By their very definition, MAC addresses are globally unique.  So there's no
'standard' behavior.
What a switch does when it sees a duplicated MAC is completely arbitrary...

What i saw was this:

ping packet drop rate for any of the two machines from a third
machine varied from 40 to almost 80 %. Also say telnet sessions
to any of the two machines (which had now the same mac addresses)
worked with notable 4-5 second lockups.


Most likely, what the switch is doing is to update it's tables each time it
sees the MAC address on a packet, ACK, ARP, etc. (ok, it's on port 12) (now
it's on port 17) (ok, back to 12) ...

And for the interval between updates, the packets get routed only to that
one port.

Further i could not ping the other machine from one of the
duplicated machines. (the last one is okay - it makes a lot of sense)

My premise is that the problem in connectivity is coming becoz
the OS does not fall back to half duplex mode when two machines
take up the same mac address??


Duplex is irrelevant

can anyone plz tell me about the behaviour. How do i set up mac
duplication in that case so that i can sniff data.


You can't...

I dont want to hurt network performance. & so dont want to do mac
flooding. Anyways i m not even sure the switches we have here
would resort to broadcast mode in case of mac flooding.


The only way to do this without hurting performance is to be the switch's
administrator and to use the 'monitor' or 'span' (different vendors call it
different things) facility.

-----Burton

Current thread:

mac duplication Dev (Dec 12)
- Re: mac duplication Miles Stevenson (Dec 12)
- RE: mac duplication Burton M. Strauss III (Dec 12)
  - RE: mac duplication Peter Moody (Dec 15)
    - RE: mac duplication Burton M. Strauss III (Dec 15)
    - Re: mac duplication Valdis . Kletnieks (Dec 15)
    - Re: mac duplication dreamwvr () dreamwvr com (Dec 15)
- Re: mac duplication Sam Baskinger (Dec 12)
- Re: mac duplication Jimi Thompson (Dec 13)
  - Re: mac duplication fooler (Dec 15)
  - RE: mac duplication David Gillett (Dec 15)
  - RE: mac duplication Dom De Vitto (Dec 15)
- Re: mac duplication Peter Moody (Dec 15)

(Thread continues...)