RE: Sniffing

From: Timothy Donahue (tdonahue_at_Haynes-Group.com)
Date: 12/15/03

  • Next message: Timothy Donahue: "RE: WinXP Admin login"
    Date: Mon, 15 Dec 2003 14:04:24 -0500
    To: "Shah H (Comp)" <03004309@glam.ac.uk>, <security-basics@securityfocus.com>
    
    

    Inline.

    > From: Shah H (Comp) [mailto:03004309@glam.ac.uk]
    >
    > I'm not an expert in the Security Arena like many of the guys on this
    > group & wanted some information about Sniffer Programs solely for
    > education purpose.
    >
    > 1) On a Switched Network can Sniffers capture Network Traffic only for
    > the switch it is connected to switch or for all the switches on the
    > network?

    None of the above. Sniffers on a switched network can only capture
    information destined for the MAC address of the NIC attached to the
    switch. Only traffic for that MAC will be delivered.

    On more advance switches, ie. Managed switches from Cisco or HP, you can
    assign a "span port" that will allow you to mirror the traffic from one
    port to another. This would allow you to sniff the traffic destined for
    that port.

    There are some sniffers which claim to be able to defeat this by using
    arp storms, but they are extremely dangerious applications. They can
    lead to DOS situations, and bring normally fast networks to their knees.
    (Many companies also list unauthorized sniffing as an offense that an
    employee can be terminated for.)

    >
    > 2) Can Sniffing be detected using a Network Intrusion Detection System
    > and if yes then are there any Sniffing ways which are not detected by
    > NDIS?

    A correctly configured passive sniffer, no probably not. But you never
    know.

    Tim Donahue

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: Timothy Donahue: "RE: WinXP Admin login"