RE: Caching a sniffer

From: Shawn Jackson (sjackson_at_horizonusa.com)
Date: 03/23/04

  • Next message: Shawn Jackson: "RE: Caching a sniffer"
    Date: Tue, 23 Mar 2004 10:20:48 -0800
    To: <gillettdavid@fhda.edu>
    
    

    > If you have a decent network switch in your environment
    > you can disable all it's port to allow promiscuous mode across the
    > network.

    From this text I got Port Mirroring, (SPAN). Now you can use MacOff
    (or another MAC flooder) to overload the MAC table in a switch and turn
    on promiscuous mode which will allow you to sniff the network.

    >I'm aware of SPAN, of course. I use it routinely to *enable* sniffing,

    >not PREVENT it. (I took "Caching" to be an obvious misspelling of
    >"Catching" -- was that my mistake?)

    No clue, I just caught the last part of this thread, detailed above. But
    you're right, SPAN/Port Mirroring allows you to selective monitor a
    ports
    traffic by forwarding a real-time copy of that traffic to a monitor
    port.

    >What I don't see is how it can be described as "disable all it's
    >port to allow promiscuous mode across the network", which sounds
    >like maybe it means a switch command to either prevent client
    >devices from going into promiscuous mode, or shut down the switch
    >ports of clients who do. If such a command existed, it would be
    >a great way to prevent users from sniffing each other's traffic,
    >but I don't believe it does.

    In essence if you flood the MAC table of a switch the switch will turn
    into a hub, thus "disabling the switch component of the ports". You
    could
    argue that turning on SPAN/Port Mirroring is also disabling the 'switch'
    part
    of that concerned port.

    To my knowledge, though not very extensive, I know of no command/system
    in switches to detect a NIC/Adapter in promiscuous mode and disable the
    port.

    Shawn Jackson
    Systems Administrator
    Horizon USA
    1190 Trademark Dr #107
    Reno NV 89521

    www.horizonusa.com
    Email: sjackson@horizonusa.com
    Phone: (775) 858-2338
           (800) 325-1199 x338

    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the skills
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------


  • Next message: Shawn Jackson: "RE: Caching a sniffer"

    Relevant Pages

    • Re: Cat 2924
      ... Copyright 1986-2004 by cisco Systems, ... BOX in both H/W and S/W, compared to a C2924-XL Switch... ... FastEthernet0/1 failed front-end loopback test ... to make the port configuration "visible", you need to apply 2 commands ...
      (comp.dcom.sys.cisco)
    • Re: Cat 2924
      ... Copyright 1986-2004 by cisco Systems, ... BOX in both H/W and S/W, compared to a C2924-XL Switch... ... FastEthernet0/1 failed front-end loopback test ... to make the port configuration "visible", you need to apply 2 commands ...
      (comp.dcom.sys.cisco)
    • Gigabit Flexibility with Magnum 6K32T Managed Switch from GarrettCom, Inc.
      ... THROUGHPUT WITH MAGNUM 6K32T MANAGED SWITCH ... Gigabit port capability to four Gb ports when compared to the ...
      (comp.dcom.lans.ethernet)
    • Gigabit Flexibility with Magnum 6K32T Managed Switch from GarrettCom, Inc.
      ... OF GB THROUGHPUT WITH MAGNUM 6K32T MANAGED SWITCH ... Gigabit port capability to four Gb ports when compared to the ...
      (sci.engr.control)
    • Re: new BSD user
      ... A long time ago (pre auto negotiate) when the very earliest ... plug the NIC of a PC up to a switch port. ... set for DHCP as the modem/router contains a built in DHCP server. ...
      (comp.unix.bsd.freebsd.misc)