cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2126
Views
3
Helpful
14
Replies

Switch & sniffer

cisconoobie
Level 2
Level 2

Can someone please clarify for me.

If you are part of a vlan and someone on that same vlan installs a packet sniffer, will he be able to see traffic other users on the vlan are sending ?

I know about SPAN and how it works but please clarify the above for me. Is there any way to hack it, so a user that does not have access to the switch administration to be able to sniff out other user packets on same vlan?

14 Replies 14

Ahmede
Level 1
Level 1

Yes, he can.. If you run a sniffer software on your PC, you should be able to sniff the network and see other users traffic.. I do that all the time!

AHMED

Are you saying that your PC is connected to an access port, not configured as a SPAN or MONITOR port, and that you can see traffic for other users? Are you connected to a hub instead of a switch? The operation of a switch is that it will deliver unicast frames only to a port on which the destination MAC is located and to SPAN or MONITOR ports. So how is your PC seeing the other traffic?

HTH

Rick

HTH

Rick

Richard Burts
Hall of Fame
Hall of Fame

Sparky

Assuming that their port is configured as an access port and not a trunk, if someone within your VLAN installs a sniffer, they will see any multicast/broadcast traffic in the VLAN and will see any unicast traffic for their port. But they will not see unicast traffic for other ports.

HTH

Rick

HTH

Rick

bjw
Level 4
Level 4

Yup,

Physical security can be a tough creature. With Net Gen Sniffer, you can disable tcp/ip on your nic and use a sniffer driver to "transparently" sniff traffic on a VLAN/Network Segment without being subject to port MAC security.

So it is possible to sniff out other user unicast packets on the same vlan without the use of SPAN?

As rburts mentioned above, unicast packet traffic in a SWITCH is discriminated to only the port it's destined to, but all multi-cast/broadcast traffc + unicast directly to/from the port the "sniffer" might be connected to, can be seen.

Bill

Disabling tcp/ip on the nic and doing "transparent" sniffing works well on a hub or similar environment. But without getting into questions of port MAC security, how do you get the switch to send unicast frames to a port that does not have the destination MAC on it?

[edit: while I was typing my response Bill posted another response and I believe that we are saying pretty much the same thing. In a hub type of environment you can do transparent sniffing and see traffic for many end stations but in a switch environment you do not see unicast frames for other MAC addresses. Since Sparky asked his question in the context of VLAN membership I assume that a switch environment was intended.

Now maybe we can get AHMED to clarify what he meant about sniffing on switch ports.]

HTH

Rick

HTH

Rick

Ok so switches provide better security than hubs. Now is there any way to setup security on the switchport so that you cannot view other user multicast traffic ?

Sparky

Use of CGMP and of IGMP snooping can reduce the amount of multicast sent to switch ports. But NO there is not any way that you can prevent a sniffer on one port from seeing multicast of another port. Ultimately if the PC with the sniffer registers for the multicast group, then the switch will send the multicast traffic to the switch port with the sniffer.

HTH

Rick

HTH

Rick

Hi

Depending on your switch you can use the "switchport block multicast" command. This will stop unknown multicast traffic being sent on that port.

However this would not stop multicast being sent down that port if the sniffer registered with the multicast group as rick has already said.

HTH

Jon

If you wanted to sniff the entire VLAN (including all Unicast) without being connected to a SPAN port, you need to ARP flood (ARP poison)the switch. This way the CAM table fills up with junk and the switch starts pushing all trafiic down every port.

Jim,

Is there anyway to protect against this flood?

Port Security would be my first line of defense.

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/12_1e/swconfig/port_sec.htm

Also this is not exactly a quiet attack, detection should be fairly simple.

dgahm
Level 8
Level 8

Here is a good white paper that explores layer 2 vulnerabilities, and what you can do to protect against them.

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco