RE: Sniffing

["Timothy Donahue" <tdonahue () Haynes-Group com>]

Inline.

> From: Shah H (Comp) [mailto:03004309 () glam ac uk] 
>
> I'm not an expert in the Security Arena like many of the guys on this
> group & wanted some information about Sniffer Programs solely for
> education purpose.
>
> 1) On a Switched Network can Sniffers capture Network Traffic only for
> the switch it is connected to switch or for all the switches on the
> network?

None of the above.  Sniffers on a switched network can only capture
information destined for the MAC address of the NIC attached to the
switch.  Only traffic for that MAC will be delivered.  

On more advance switches, ie. Managed switches from Cisco or HP, you can
assign a "span port" that will allow you to mirror the traffic from one
port to another.  This would allow you to sniff the traffic destined for
that port.

There are some sniffers which claim to be able to defeat this by using
arp storms, but they are extremely dangerious applications.  They can
lead to DOS situations, and bring normally fast networks to their knees.
(Many companies also list unauthorized sniffing as an offense that an
employee can be terminated for.)

> 2) Can Sniffing be detected using a Network Intrusion Detection System
> and if yes then are there any Sniffing ways which are not detected by
> NDIS?

A correctly configured passive sniffer, no probably not.  But you never
know.

Tim Donahue

---------------------------------------------------------------------------
----------------------------------------------------------------------------