Re: Detecting a swtich
From: Walter Roberson (roberson_at_ibd.nrc-cnrc.gc.ca)
Date: 04/27/05
- Next message: Walter Roberson: "Re: Detecting a swtich"
- Previous message: MikeS: "Re: is Zone allam locking up?"
- In reply to: manohar.katoch_at_gmail.com: "Detecting a swtich"
- Next in thread: Walter Roberson: "Re: Detecting a swtich"
- Reply: Walter Roberson: "Re: Detecting a swtich"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 27 Apr 2005 15:10:10 GMT
In article <1114590799.617477.218320@o13g2000cwo.googlegroups.com>,
<manohar.katoch@gmail.com> wrote:
:Is there a tool that lets u detect if the device is a hub, unmanaged
:switch or a managed switch connected on a network.?
Not reliably.
Another poster indicated that with a hub, you can see frames
destined for other MAC addresses, but not with a switch.
That is not quite the case, as there are instances when you will
see other destination MACs:
a) The switch doesn't know which port the destination is on, and
so floods the packet to all ports in the same VLAN;
b) The switch MAC table is full and the switch is designed to flood
packets in that situation;
c) Multicast and broadcast and various other packets don't have -your-
MAC address as their destination: they have standard MAC addresses
that are specially recognized by your system.
d) The switch has been configured to 'span' (or 'mirror') traffic
to your port. When traffic is spanned/mirrored, it is switch dependant
as to whether VLAN tags are removed, and switch dependant as to
whether the original source MAC is preserved or if the source MAC is
replaced with the MAC of the egress switch port.
e) Your system might be on a shared media segment itself, rather than
a fully-switched segment, so there might be legitimate other destination
MAC addresses on your segment.
These factors don't mean you can't apply heuristics -- e.g., if you
see TCP SYN packets for other destinations, but seldom SYN ACK, then
you are likely connected to a switch. Similarily, if you see ARP
replies from other hosts then either you are attached to a hub or
you are on a shared segment.
One factor you can look at is whether your connection is full
duplex or not. If it is full duplex, then either there is a
misconfiguration problem, or else you are attached to a switch:
hubs are inherently half-duplex.
You cannot reliably detect whether a switch is "managed" or not.
You can monitor for packets addressed to the switch IP, but
you probably won't see them unless you are on a shared media segment
yourself -- because when a packet arrives at a switch that is
addressed to the switch, the switch is going to know exactly which
port and MAC address the packet is from, and is only going to reply
there.
Similarily, you can monitor for packets -from- the switch IP, but
again you are not likely to see them because of the above factor.
If you see RIP broadcasts or RIP or OSPF multicasts coming from
the switch, the switch is -probably- managed and probably a Layer 3
or higher device... but then one gets into debates about what it means
for a switch to be "managed". A configurable switch is not
necessarily a "managed" switch, and a switch which allows you to
telnet or http in and see per-port error counters and so on, is
not necessarily going to be willing to talk SNMP or RMON.
-- This signature intentionally left... Oh, darn!
- Next message: Walter Roberson: "Re: Detecting a swtich"
- Previous message: MikeS: "Re: is Zone allam locking up?"
- In reply to: manohar.katoch_at_gmail.com: "Detecting a swtich"
- Next in thread: Walter Roberson: "Re: Detecting a swtich"
- Reply: Walter Roberson: "Re: Detecting a swtich"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
