Security Basics mailing list archives
RE: Caching a sniffer
From: "Burton M. Strauss III" <BStrauss () acm org>
Date: Wed, 24 Mar 2004 12:54:31 -0600
<snip />
In essence if you flood the MAC table of a switch the switch will turn into a hub, thus "disabling the switch component of the ports".
Of course, that's not necessarily true. The behavior of a switch when the MAC address table is exceeded is not defined by any standard, nor is it often specified by the manufacturer. I can think of at least four behaviors, each of which would give different results to the end user. 1. Dump the entire MAC table. Switch acts as if power on reset just occurred. 2. Stop learning. All previously learned MAC addresses remain, and so only traffic for unrecognized MAC addresses gets sent to all ports. 3. Partial Purge of table. Some portion of the table gets purged and the switch continues, treating those purged MAC addresses as if this was the first time they were seen. Depending upon how the purged addresses are selected - oldest first, youngest first, random, lowest MAC addresses, highest MAC addresses or something else - will cause the switch to act differently for different users. 4. Shutdown port - assume hostile intent and stop forwarding traffic. Further note that some Manufacturers have per-port tables, others have a single global tables and some (10/100 switches) may have a 10BaseT table and a 100BaseT table, so the behaviors above could have other 'flavors'. Do I know of which switches do what? Nope. But we should ALL have learned the lessons of depending upon undocumented behaviors and unspecified conditions with Y2K. Somebody said this earlier in the thread. To rephrase... If you have a business need to do this, you should be buying gear that allows you to do it in a controlled AND understood manner.
You could argue that turning on SPAN/Port Mirroring is also disabling the 'switch' part of that concerned port.
SPAN/Port Mirroring/Roving Analysis Port(3Com) is intentional and controlled by the administrator. Also, how the port handles traffic in excess of it's capacity (say you are monitoring 3 100BaseT ports out a single 100BaseT port), is completely Mfg dependent and undocumented. <snip /> -----Burton --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- Re: Caching a sniffer, (continued)
- Re: Caching a sniffer Bob Radvanovsky (Mar 11)
- Re: Caching a sniffer Fernando Gont (Mar 17)
- Re: Caching a sniffer ksaenz (Mar 22)
- RE: Caching a sniffer David Gillett (Mar 23)
- Re: Caching a sniffer Fernando Gont (Mar 24)
- Re: Caching a sniffer ksaenz (Mar 22)
- RE: Caching a sniffer Chris Merkel (Mar 11)
- RE: Caching a sniffer Shawn Jackson (Mar 23)
- RE: Caching a sniffer David Gillett (Mar 24)
- Re: Caching a sniffer Patrick Toomey (Mar 24)
- RE: Caching a sniffer Shawn Jackson (Mar 24)
- RE: Caching a sniffer Burton M. Strauss III (Mar 25)
- RE: Caching a sniffer Fernando Gont (Mar 25)
- RE: Caching a sniffer Shawn Jackson (Mar 24)
- RE: Caching a sniffer David Gillett (Mar 24)
- RE: Caching a sniffer Fernando Gont (Mar 25)
- RE: Caching a sniffer David Gillett (Mar 25)
- RE: Caching a sniffer David Gillett (Mar 24)
- RE: Caching a sniffer Fernando Gont (Mar 25)
- RE: Caching a sniffer Shawn Jackson (Mar 25)
- RE: Caching a sniffer David Gillett (Mar 25)
- RE: Caching a sniffer Shawn Jackson (Mar 25)
- RE: Caching a sniffer David Gillett (Mar 25)