Re: mac duplication

• Previous message: Burton M. Strauss III: "RE: mac duplication"
• In reply to: Dev: "mac duplication"
• Next in thread: Jimi Thompson: "Re: mac duplication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Dev <u02113@cs.unipune.ernet.in>
Date: Fri, 12 Dec 2003 16:14:43 -0500

Hi all,

If a switch sees identical MACs on two ports, this ussually is
interpreted as a sign of a loop in the network or the client has moved
around very quickly.

The other gentleman is right that each switch will handle the situation
in its own way and I've never seen a swich that will let you sniff if
you simply spoof the target mac. The best way to monitor is to either:

1) buy a hub
2) buy a switch that supports a monitoring a port
3) bridge two interfaces on your sniffer and make it the switch

Hope this is helpful.

Sam

On Fri, 2003-12-12 at 05:17, Dev wrote:
> hi ppl, please redirect me to a different mailing list if this is not the appropriate list to post to.
>
> I did the following experiment:
>
> I have a switched ethernet network in my university.
> I wanted to capture packets meant for a certain machine on a different port of a Dlink switch. I thought that arp poisoning would be too noisy - arpwatch can catch it, & its too bulky for the MITM machine (in case we are poisoning a heavily loaded server machine.)
> & So i duplicated the mac of the victim machine on my own machine.
>
> What i saw was this:
>
> ping packet drop rate for any of the two machines from a third machine varied from 40 to almost 80 %. Also say telnet sessions to any of the two machines (which had now the same mac addresses) worked with notable 4-5 second lockups.
>
> Further i could not ping the other machine from one of the duplicated machines. (the last one is okay - it makes a lot of sense)
>
> My premise is that the problem in connectivity is coming becoz the OS does not fall back to half duplex mode when two machines take up the same mac address??
>
> can anyone plz tell me about the behaviour. How do i set up mac duplication in that case so that i can sniff data.
>
> I dont want to hurt network performance. & so dont want to do mac flooding. Anyways i m not even sure the switches we have here would resort to broadcast mode in case of mac flooding.
>
> Last but not the least its my second message to the list, & people were really helpful in discussing about my queries in my first message.
>
> Mailing lists rock..
>
> Devrat

• Previous message: Burton M. Strauss III: "RE: mac duplication"
• In reply to: Dev: "mac duplication"
• Next in thread: Jimi Thompson: "Re: mac duplication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]