Re: Packet Sniffing in a Switched LAN

From: GomoR (GomoR@gomor.org)
Date: 11/13/01

• Previous message: RKalla@hdbrous.com: "RE: Single Sign On Software and One Time Password"
• In reply to: Marc Mc Guinness: "Re: Packet Sniffing in a Switched LAN"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Tue, 13 Nov 2001 10:50:17 +0100
From: GomoR <GomoR@gomor.org>
To: Marc Mc Guinness <security@mcguinness.de>
Subject: Re: Packet Sniffing in a Switched LAN
Message-Id: <20011113105017.6b1fcd55.GomoR@gomor.org>

On Sat, 10 Nov 2001 00:32:18 +0100 Marc Mc Guinness <security@mcguinness.de>
wrote:

>
>
> Hello!
>
> Am Donnerstag, 8. November 2001 23:24 schrieb Matt Hemingway:
> > If it's a switched network, which the subject of this e-mail
> > states, than Ethereal won't work. The best tool for a switched
> > network is ettercap (ettercap.sourceforge.net).
> >
> > Personally I use Arpwatch (no url available) to find all hosts on
> > the network and than use Ettercap to sniff the victim.
> >
> > If this is a hubbed network than Ethereal works like a charm.
>
> I don't understand that. Can anybody explain it to me? Why is
> ethereal not good for a switched LAN, but for a hubbed one it is?
> I'm starting to work with ethereal at the moment (in a switched
> network).
>

        It is because a switch is an "intelligent" hub. It is intelligent, because
it sends only packets to the real destination host, not to all hosts
connected to the wire.

        For example, if a machine A sends a packet to machine B, and there is a
third machine (C, for example), and they are all connected to a hub, machine
B and C will receive the packet. But if the hub was a switch, only machine B
was receiving this packet.

        In conclusion, if you sniff in a switched environment, you will only sniff
packets destined to your host.

        I hope I'am quite understood :)

==========================================================
    FreeBSD Network - http://www.gomor.org/
    Security Engineer Junior
==========================================================
    =-----=> root is the only God I believe in <=-----=

---

• Previous message: RKalla@hdbrous.com: "RE: Single Sign On Software and One Time Password"
• In reply to: Marc Mc Guinness: "Re: Packet Sniffing in a Switched LAN"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Strange results from a tcpdump, can anyone help? ... traffic was going ballistic on most ports in the network. ... other hosts went to normal (i.e. the only traffic you could see were ... packets from the same vlan destined to other hosts outside ... If it was simply a bad switch with a bad port that had lost it's mac ... (comp.dcom.lans.ethernet) Re: Strange results from a tcpdump, can anyone help? ... traffic was going ballistic on most ports in the network. ... other hosts went to normal (i.e. the only traffic you could see were ... packets from the same vlan destined to other hosts outside ... If it was simply a bad switch with a bad port that had lost it's mac ... (comp.dcom.lans.ethernet) Re: Switch Security ... system is looking into the packet. ... This causes a lot of network traffic. ... The switch remembers the MAC-Adress of each network ... the switch automaticly enhances the security of your ... (microsoft.public.win2000.security) Re: Whats gonna happen if two clients in the same LAN have the same MAC address? ... > which route a packet takes based on the client it has last ... > the two machines, as would be so in fully switched setup). ... > on the same network segment. ... I've just tried in a switch based network, ... (microsoft.public.windows.server.security) Re: Multihoming Windows 2000 ... They are looking to connect all hosts to the core network via 1 NIC. ... will connect to another switch and this network is considered the ... (microsoft.public.win2000.networking)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)