Question about packet sniffing through a switch...
I thought switches don't broadcast any packets recieved from one port destined to another? Inless of course it is a broadcast packet.
So how does one Computer C sniff data that Computer A sent to Computer B through a switch? It does routing through it's MAC filter table doesn't it? So Computer C shouldn't recieve the data.
So how does one Computer C sniff data that Computer A sent to Computer B through a switch? It does routing through it's MAC filter table doesn't it? So Computer C shouldn't recieve the data.
World Cup 2006 - Zidane - Never Forget.
Comments
Span, port mirror or port monitoring, or whatever the manufacturers want to call it, are available on most high managed switches.
I thought if your NIC supported something called "permicious mode" or along those lines, it allows you to. But I don't understand how that would exactly work.
No, PC3 would not be able to sniff traffic between PC1 and PC2 with a NIC in promiscious mode. The term broadcast in this scenario does not relate to broadcasts sent to the IP broadcast address, but to Ethernet being a broadcast network technology. In a non-switched network, all network nodes hear all traffic (layer 2 frames), but only process frames addressed to themselves (unless it has a NIC in promiscious mode, in which case it processes all traffic it hears, even if the destination address doesn't match its own). In a switched network, devices only hear traffic actually addresses to them (or to everyone thru a broadcast address), but not communication between nodes connected to other switch ports. Putting the NIC in promiscious mode wouldn't change a thing because it just doesn't get the traffic on its cable/switchport).
The Switches section in my Security+ Network Devices TechNotes explains it in more detail:
The Monitoring section on the same page is relevant as well.
http://www.sans.org/resources/idfaq/switched_network.php
Its really not that difficult to do, and too many people put faith in the fact that "were using switches so we are safe".
I even heard a telco claim that years ago. A common misconception that applies to other devices and security technologies as well. But from a CompTIA Security+ point of view, switches provide protection against sniffing. In proper terms: it mitigates the threat of sniffing and decreases the risk. That doesn't mean their safe though
Mike
So Fondue gave one example of how it could be done, while the link that i gave talked about several more. Just as with almost everyhting associated with computers there are several methods of doing something.
But as the webmaster stated for most certifications one of the advantages of a switch is that it is unsniffable.