[Sunhelp] About snoop
Erik Parker
eparker at mindsec.com
Mon Oct 16 02:50:16 CDT 2000
This is not actually accurate, there are ways to snoop/sniff switched
networks. Not that one would want to do this on their own production
network, however you can easily do arp redirects for a host to your own
machine to see those packets.
You can also flood switches with millions of mac addresses, which in some
cases, will drop the switch into a "hub" like mode.
These ideas can both be demonstrated by dsniff.
On Mon, 16 Oct 2000, John Lee wrote:
> Hello,
>
> Thanks for all your help. I know the limitation is due to the switched
> network not snoop tool.
> I really appreciate all your help.
>
> Regards.
> John
>
> -----Original Message-----
> From: sunhelp-admin at sunhelp.org [mailto:sunhelp-admin at sunhelp.org]On
> Behalf Of Martin Wedel sr
> Sent: Friday, October 13, 2000 2:22 PM
> To: sunhelp at sunhelp.org
> Subject: Re: [Sunhelp] About snoop
>
>
> The 'problem' doesn't lie within the sniffer. The whole idea behind
> switched networks is that traffic is directed only to the segment where
> the destination node is located, no more no less, save broadcast, ARP, etc
> etc. No sniffer can get past this, as it can't 'sniff' what it can't
> see.
> If you are doing this for a legitimate reason, I suggest using a
> mirrored port on the switch for your NIDS/analyzer box.
>
> --
> Martin Wedel
> sun at minor-element.net
> http://www.minor-element.net/
>
> On Fri, 13 Oct 2000, John Lee wrote:
Erik Parker
Mind Security
An armed society, is a polite society.
More information about the SunHELP
mailing list