Re: general sniffer question
From: theog@yoda.dnsq.orgDate: 09/06/01
- Previous message: theog@yoda.dnsq.org: "Re: IP Based Network Access in Solaris"
- In reply to: leon: "general sniffer question"
- Next in thread: leon: "RE: general sniffer question"
- Reply: leon: "RE: general sniffer question"
- Reply: jose cuartas: "RE: general sniffer question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 5 Sep 2001 21:03:01 -0400 (EDT) From: <theog@yoda.dnsq.org> To: leon <leon@inyc.com> Subject: Re: general sniffer question Message-ID: <Pine.LNX.4.33.0109052056480.20970-100000@yoda.dnsq.org>
It is possible that what you saw was ARP broadcasts , ARP IS part of the
tcp\ip protocol stack , even though the machines are using tcp\ip as a
communication protocol , they need the MAC address of each card , an ip
is a logical representation of the machine , how will one computer know
the physical location of another? when you communicate over ether net ,
your computer takes the ip address and try's to find the MAC address
(i.e. ethernet card matching to it ) for the ip , it does that by
broadcasting arp packets , then it saves it into a cache (arp cache) for
a predefined TTL , the fact that you saw your router's password
indicates you saw a packet going through the default gateway (which also
uses arp as any ethernet device.
TheOG
On Fri, 31 Aug 2001, leon wrote:
> Hi all,
>
> I am a little confused by what I am seeing in the sniffer logs and I was
> wondering if someone could help me out. First a little background I am
> trying to sniff on a switched network without attacking the switches (ie
> like flooding the arp table). I know that I should be able to see
> broadcast traffic because everyone sees it but I am actually seeing
> other peoples packets that are not broadcast packets. How is that
> possible???? I thought the whole concept behind the switch was that the
> traffic was isolated (via separate collision domains.) Not only that
> but in the program I am using (Sniffer Pro 4.5) I am seeing broadcast
> traffic for "devices" (the device has a mac address) that don't have IP
> addys. That seems weird as I assumed everything would need to have an
> IP addy to communicate via tcp/ip. I guess maybe this devices is
> talking via another protocol at layer 2?
>
> So since I couldn't find the ip addy of the machine I looked up who
> owned the the mac-addy on a website. Note helpful website alert
> http://www.coffer.com/mac_find/ and found that the mac address was owned
> by company that mad the router. So here are my questions. How is it
> possible for me to see other peoples traffic (non broadcast) on the
> switch without attacking it or it malfunctioning. Also why would the
> router have a mac address and it not be matched up to an ip? Further I
> wonder if anyone has suggestions for tracking devices down in the future
> when you don't have there ip and only a mac addy? I used windows to see
> all the macs of pcs and I know with hp's and some printers you can print
> out configurations but what about those you cant? Do other people just
> goto a website like I did?
>
> Thoughts, comments, answers, flames?
> Public or private
>
> Thx
>
> Leon
>
--
- Previous message: theog@yoda.dnsq.org: "Re: IP Based Network Access in Solaris"
- In reply to: leon: "general sniffer question"
- Next in thread: leon: "RE: general sniffer question"
- Reply: leon: "RE: general sniffer question"
- Reply: jose cuartas: "RE: general sniffer question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
