RE: mac duplication

From: Burton M. Strauss III (BStrauss_at_acm.org)
Date: 12/12/03

  • Next message: Sam Baskinger: "Re: mac duplication" 
    To: "Dev" <u02113@cs.unipune.ernet.in>, <vuln-dev@securityfocus.com>
Date: Fri, 12 Dec 2003 14:32:31 -0600

    > I did the following experiment:
    >
    > I have a switched ethernet network in my university.
    > I wanted to capture packets meant for a certain machine on a
    > different port of a Dlink switch. I thought that arp poisoning
    > would be too noisy - arpwatch can catch it, & its too bulky for
    > the MITM machine (in case we are poisoning a heavily loaded
    > server machine.)
    > & So i duplicated the mac of the victim machine on my own machine.

    By their very definition, MAC addresses are globally unique. So there's no
    'standard' behavior.
    What a switch does when it sees a duplicated MAC is completely arbitrary...

    > What i saw was this:
    >
    > ping packet drop rate for any of the two machines from a third
    > machine varied from 40 to almost 80 %. Also say telnet sessions
    > to any of the two machines (which had now the same mac addresses)
    > worked with notable 4-5 second lockups.

    Most likely, what the switch is doing is to update it's tables each time it
    sees the MAC address on a packet, ACK, ARP, etc. (ok, it's on port 12) (now
    it's on port 17) (ok, back to 12) ...

    And for the interval between updates, the packets get routed only to that
    one port.

    > Further i could not ping the other machine from one of the
    > duplicated machines. (the last one is okay - it makes a lot of sense)
    >
    > My premise is that the problem in connectivity is coming becoz
    > the OS does not fall back to half duplex mode when two machines
    > take up the same mac address??

    Duplex is irrelevant

    > can anyone plz tell me about the behaviour. How do i set up mac
    > duplication in that case so that i can sniff data.

    You can't...

    > I dont want to hurt network performance. & so dont want to do mac
    > flooding. Anyways i m not even sure the switches we have here
    > would resort to broadcast mode in case of mac flooding.

    The only way to do this without hurting performance is to be the switch's
    administrator and to use the 'monitor' or 'span' (different vendors call it
    different things) facility.

    -----Burton

  • Next message: Sam Baskinger: "Re: mac duplication"

    Relevant Pages

    • Re: Catalyst 4000 - Ciscos Response
      ... on a variety of factors such as Switch load and traffic patterns. ... Flooding packets ... database on the switch containing switch ports and the MAC addresses sourced ... Sniffer is on a different port than the workstation and servers. ...
      (Bugtraq)
    • RE: mac duplication
      ... Another solution you could use depends on your switch. ... that allow you to do port mirroring. ... IP address map to MAC addresses via router tables. ... How do i set up mac duplication ...
      (Vuln-Dev)
    • RE: ARP Spoof Question
      ... Hardware MAC addresses are supposed to be globally unique. ... If you have duplicate MAC addresses on a shared-media network, ... > spoofed ARP packets to receive packets but have been unable to locate ... > my switch table. ...
      (Security-Basics)
    • Re: em0, VLAN and bpf(?) trouble w/RELENG_5
      ... >> command on Catalyst don't show the MAC. ... Can it happen that way that bpf (or maybe it's promiscuous mode?) just ... "eats" all packets without returning them back into network stack? ... local Ukrainian FreeBSD people suggested trying -p switch to trafshow - ...
      (freebsd-current)
    • Re: Sending "magic packets" from OBSD router seems to fail
      ... >>packets are not being sent from the OBSD box. ... >>through the switch, not the OBSD box. ... >>wakeonlan seems to hit the internal ethernet device (attached to the ... > its own MAC address. ...
      (comp.unix.bsd.openbsd.misc)