Promiscuous mode use when network uses a switch (not hub)

acomber · November 2014

I understand that it is possible for software to put a network card into promiscuous mode so that ALL packets received on the network interface are transmitted to the cpu rather than JUST packets destined for THIS computer.

And I can understand how this could be useful for packet sniffing, eg, to detect which clients are connecting to which servers, and all sorts of troubleshooting stuff like that.

But, what if the computers are connected via a switch. I am thinking about an ethernet network here. With a switch, it has its own 'intelligence' and will not send frames to computers for which the destination is not it. Is that correct?

So then how do you do packet sniffing on a network with a switch?

BobBobson · November 2014

You can setup port mirroring on a switch, doing that will allow you pick a port that you want to monitor, and a port that will receive a copy of the monitored ports traffic.

Here's a more detailed document on the subject if you would like to know more: Catalyst 2960 and 2960-S Software Configuration Guide, 12.2(55)SE - Configuring SPAN and RSPAN [Cisco Catalyst 2960 Series Switches] - Cisco

TechGuru80 · November 2014

Port mirroring, or a malicious way would be to pose as a trunk. That is a bit outside the scope of the Network+ however.

Justin- · November 2014

Yes you are right in the fact that the switch is an intelligent device that forwards frames based on the MAC address. You can still get around this by using port mirroring which will copy all the traffic on that specific port and forward it to yours so you can get a full copy of the traffic and still sniff the packets.

Promiscuous mode use when network uses a switch (not hub)

Comments