Switch & sniffer

Unanswered Question
Feb 26th, 2007

Can someone please clarify for me.

If you are part of a vlan and someone on that same vlan installs a packet sniffer, will he be able to see traffic other users on the vlan are sending ?

I know about SPAN and how it works but please clarify the above for me. Is there any way to hack it, so a user that does not have access to the switch administration to be able to sniff out other user packets on same vlan?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Ahmede Mon, 02/26/2007 - 08:20

Yes, he can.. If you run a sniffer software on your PC, you should be able to sniff the network and see other users traffic.. I do that all the time!

Richard Burts Mon, 02/26/2007 - 08:28


Are you saying that your PC is connected to an access port, not configured as a SPAN or MONITOR port, and that you can see traffic for other users? Are you connected to a hub instead of a switch? The operation of a switch is that it will deliver unicast frames only to a port on which the destination MAC is located and to SPAN or MONITOR ports. So how is your PC seeing the other traffic?



Richard Burts Mon, 02/26/2007 - 08:23


Assuming that their port is configured as an access port and not a trunk, if someone within your VLAN installs a sniffer, they will see any multicast/broadcast traffic in the VLAN and will see any unicast traffic for their port. But they will not see unicast traffic for other ports.



cisconoobie Mon, 02/26/2007 - 09:05

So it is possible to sniff out other user unicast packets on the same vlan without the use of SPAN?

Richard Burts Mon, 02/26/2007 - 09:16


Disabling tcp/ip on the nic and doing "transparent" sniffing works well on a hub or similar environment. But without getting into questions of port MAC security, how do you get the switch to send unicast frames to a port that does not have the destination MAC on it?

[edit: while I was typing my response Bill posted another response and I believe that we are saying pretty much the same thing. In a hub type of environment you can do transparent sniffing and see traffic for many end stations but in a switch environment you do not see unicast frames for other MAC addresses. Since Sparky asked his question in the context of VLAN membership I assume that a switch environment was intended.

Now maybe we can get AHMED to clarify what he meant about sniffing on switch ports.]



cisconoobie Mon, 02/26/2007 - 09:28

Ok so switches provide better security than hubs. Now is there any way to setup security on the switchport so that you cannot view other user multicast traffic ?

Richard Burts Mon, 02/26/2007 - 09:51


Use of CGMP and of IGMP snooping can reduce the amount of multicast sent to switch ports. But NO there is not any way that you can prevent a sniffer on one port from seeing multicast of another port. Ultimately if the PC with the sniffer registers for the multicast group, then the switch will send the multicast traffic to the switch port with the sniffer.



Jon Marshall Tue, 02/27/2007 - 05:10


Depending on your switch you can use the "switchport block multicast" command. This will stop unknown multicast traffic being sent on that port.

However this would not stop multicast being sent down that port if the sniffer registered with the multicast group as rick has already said.



jim.coyne Tue, 02/27/2007 - 08:40

If you wanted to sniff the entire VLAN (including all Unicast) without being connected to a SPAN port, you need to ARP flood (ARP poison)the switch. This way the CAM table fills up with junk and the switch starts pushing all trafiic down every port.


This Discussion