RE: Sniffing a Switched Network
From: Yahoo - CQRMail (cqrmail@yahoo.com)Date: 09/07/01
- Previous message: jnf: "re: sniffing on a switched network"
- In reply to: Michael R. White: "Sniffing a Switched Network"
- Next in thread: Jake Gillen: "Re: Sniffing a Switched Network"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Yahoo - CQRMail" <cqrmail@yahoo.com> To: <michael.white@lmscae.com>, "Security-Basics" <security-basics@securityfocus.com>, "MICROSOFT_SECURITY" <MICROSOFT_SECURITY@ANNOUNCE.MICROSOFT.COM>, "Focus-Ms" <focus-ms@securityfocus.com> Subject: RE: Sniffing a Switched Network Date: Thu, 6 Sep 2001 22:41:47 -0400 Message-ID: <FJEELJEFFFDHCDIOKCGJOEEHCKAA.cqrmail@yahoo.com>
Two ways to sniff a switched network: Using a span(monitored) port on a
switch where you can see traffic for a specific port, vlan, or chassis or
doing a arp spoof where your machine becomes the gateway for all users
within that network.
Using the first method any good sniffer will do, sniffer pro..snort..etc
etc. The second method I would recommend ettercap - the great arp poising
tool. For more on this method check out: http://www.oxid.it/ Dig around
until you find the flash presentation under the topics menu...it's nicely
done. I have not used their tool: IRS
Bottom line, the switch process doesn't broadcast traffic to all ports like
a hub. After a switch arps out for it's destination, it will only send data
to the destination port (increasing performance and quality of transfer).
Because traffic only passes between a source and destination port, all other
ports (including your promiscuous NIC) will not see traffic.
Arp poising will respond to the ARP request and pretend to be your
destination, once the transfer begins all traffic passes to your machine
before reaching the true destination. Just sit back and watch...there is
one hit...in performance. A user might pick up on the latency introduced
while passing through your sniffer.
Have fun :)
Tony
-----Original Message-----
From: Michael R. White [mailto:michael.white@lmscae.com]
Sent: Wednesday, September 05, 2001 3:08 PM
To: Security-Basics; MICROSOFT_SECURITY; Focus-Ms
Subject: Sniffing a Switched Network
I seem to be getting conflicting information about sniffing network traffic
on a switched network. I've been told by some that I should have no
difficulties sniffing all traffic on my switched network, but others say
unless you configure the monitoring on the switches I won't be able to sniff
all traffic. Can someone clarify, and possibly provide some resources?
I'm also interested in knowing what the best sniffers and best
implementations are. MS, Linux, Unix...doesn't matter, but interested in at
least one from each if possible. I've tried tcpdump on Redhat, but it
doesn't seem to provide all traffic information. I put a Win2K box and the
Redhat box on a hub with the Redhat box sniffing all traffic to and from
Win2k box. Upon pinging from and to the box, I get no results from tcpdump.
I am seeing some traffic like this line below:
12:51:51.999744 eth0 B 192.168.100.13.netbios-dgm >
192.168.100.255.netbios-dgm: NBT UDP (138)
but not much more than that.
Any help is greatly appreciated.
TIA,
Michael
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
- Previous message: jnf: "re: sniffing on a switched network"
- In reply to: Michael R. White: "Sniffing a Switched Network"
- Next in thread: Jake Gillen: "Re: Sniffing a Switched Network"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
