RE: Sniffing a Switched Network
From: owentoby@WellsFargo.COMDate: 09/06/01
- Previous message: John R. Morris: "RE: Sniffing a Switched Network"
- Maybe in reply to: Michael R. White: "Sniffing a Switched Network"
- Next in thread: centipede: "Re: Sniffing a Switched Network"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: owentoby@WellsFargo.COM Message-ID: <BFCC17728801D311A6A90001FA7EA1360B2FBDBC@xcem-aztem-04.wellsfargo.com> To: michael.white@lmscae.com, security-basics@securityfocus.com, MICROSOFT_SECURITY@ANNOUNCE.MICROSOFT.COM, focus-ms@securityfocus.com Subject: RE: Sniffing a Switched Network Date: Thu, 6 Sep 2001 10:02:33 -0700
The difference is in what a switch does versus what a hub does. A hub is
really a layer 1 device, simply a repeater. Putting a sniffer on a hub
truly allows you to monitor ALL traffic on that network segment.
A switch operates at layer 2, and sorts traffic based on destination MAC
address. Thus, if a packet is sent to one specific host, and the switch
knows which port that host lives on, only that host will get the traffic.
If a packet is broadcast to the whole network, then the switch forwards that
to all ports, since there cannot be a MAC address correlated to a broadcast
address. Putting a sniffer on a standard switch port then will only be able
to see traffic in and outbound from itself, plus the local network segment
broadcast traffic.
Most switches, at least at the enterprise level, allow configuring at least
1 port as a "monitoring" port. When this mode is enabled, the switch will
pass all traffic to the destination port and to the monitoring port. So if
you hang a sniffer off that port, you can then see all traffic on the
segment, at least from those devices attached to that switch.
A great primer on TCP-IP basics can be found at:
http://www.redbooks.ibm.com/pubs/pdfs/redbooks/gg243376.pdf
You should do some reading, because decoding network traffic once, once you
sniff it, will be very difficult if you don't understand what you're looking
at. TCP headers vs. IP headers vs. HTTP headers vs. ethernet headers.
Good luck.
As far as good sniffers out there, I'll let someone else answer that one.
Toby
-----Original Message-----
From: Michael R. White [mailto:michael.white@lmscae.com]
Sent: Wednesday, September 05, 2001 12:08 PM
To: Security-Basics; MICROSOFT_SECURITY; Focus-Ms
Subject: Sniffing a Switched Network
I seem to be getting conflicting information about sniffing network traffic
on a switched network. I've been told by some that I should have no
difficulties sniffing all traffic on my switched network, but others say
unless you configure the monitoring on the switches I won't be able to sniff
all traffic. Can someone clarify, and possibly provide some resources?
I'm also interested in knowing what the best sniffers and best
implementations are. MS, Linux, Unix...doesn't matter, but interested in at
least one from each if possible. I've tried tcpdump on Redhat, but it
doesn't seem to provide all traffic information. I put a Win2K box and the
Redhat box on a hub with the Redhat box sniffing all traffic to and from
Win2k box. Upon pinging from and to the box, I get no results from tcpdump.
I am seeing some traffic like this line below:
12:51:51.999744 eth0 B 192.168.100.13.netbios-dgm >
192.168.100.255.netbios-dgm: NBT UDP (138)
but not much more than that.
Any help is greatly appreciated.
TIA,
Michael
- Previous message: John R. Morris: "RE: Sniffing a Switched Network"
- Maybe in reply to: Michael R. White: "Sniffing a Switched Network"
- Next in thread: centipede: "Re: Sniffing a Switched Network"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
