RE: sniffing packets on a switch

On Cisco's switches you can use the SPAN feature to send a mirror of data received on a given port to another port.

IE, your firewall port is spanned to another switchport to allow your IDS to sample all incoming data destined for the trusted net.

--BD

-----Original Message-----
From: David Gillett [mailto:gillettdavid@fhda.edu] Sent: Monday, March 10, 2003 11:02 AM
To: security-basics@securityfocus.com
Subject: RE: sniffing packets on a switch

  Do you know what kind of problems?

  The most obvious problem with doing this is that, by default, your sniffer machine's port on the switch will only be sent traffic that is either broadcast, or addressed specifically to the sniffer host.
  Most switches offer a way that the switch administrator can direct that traffic for one or more other ports be copied to the sniffer's port. That's not a sniffer program issue.

  There *are* ways to try that may make this happen if you don't have administrative access to the switch, and there might even be some tools around that automate such measures. But on most well-run networks, people without admin access to things like switches are also not authorized to be running sniffers, so let's not go there in a public forum....

David Gillett

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

> -----Original Message-----
Received on Wed Mar 12 12:59:19 2003