Can someone please clarify for me.
If you are part of a vlan and someone on that same vlan installs a packet sniffer, will he be able to see traffic other users on the vlan are sending ?
I know about SPAN and how it works but please clarify the above for me. Is there any way to hack it, so a user that does not have access to the switch administration to be able to sniff out other user packets on same vlan?
Yes, he can.. If you run a sniffer software on your PC, you should be able to sniff the network and see other users traffic.. I do that all the time!
Are you saying that your PC is connected to an access port, not configured as a SPAN or MONITOR port, and that you can see traffic for other users? Are you connected to a hub instead of a switch? The operation of a switch is that it will deliver unicast frames only to a port on which the destination MAC is located and to SPAN or MONITOR ports. So how is your PC seeing the other traffic?
Assuming that their port is configured as an access port and not a trunk, if someone within your VLAN installs a sniffer, they will see any multicast/broadcast traffic in the VLAN and will see any unicast traffic for their port. But they will not see unicast traffic for other ports.
Physical security can be a tough creature. With Net Gen Sniffer, you can disable tcp/ip on your nic and use a sniffer driver to "transparently" sniff traffic on a VLAN/Network Segment without being subject to port MAC security.
As rburts mentioned above, unicast packet traffic in a SWITCH is discriminated to only the port it's destined to, but all multi-cast/broadcast traffc + unicast directly to/from the port the "sniffer" might be connected to, can be seen.
Disabling tcp/ip on the nic and doing "transparent" sniffing works well on a hub or similar environment. But without getting into questions of port MAC security, how do you get the switch to send unicast frames to a port that does not have the destination MAC on it?
[edit: while I was typing my response Bill posted another response and I believe that we are saying pretty much the same thing. In a hub type of environment you can do transparent sniffing and see traffic for many end stations but in a switch environment you do not see unicast frames for other MAC addresses. Since Sparky asked his question in the context of VLAN membership I assume that a switch environment was intended.
Now maybe we can get AHMED to clarify what he meant about sniffing on switch ports.]
Ok so switches provide better security than hubs. Now is there any way to setup security on the switchport so that you cannot view other user multicast traffic ?
Use of CGMP and of IGMP snooping can reduce the amount of multicast sent to switch ports. But NO there is not any way that you can prevent a sniffer on one port from seeing multicast of another port. Ultimately if the PC with the sniffer registers for the multicast group, then the switch will send the multicast traffic to the switch port with the sniffer.
Depending on your switch you can use the "switchport block multicast" command. This will stop unknown multicast traffic being sent on that port.
However this would not stop multicast being sent down that port if the sniffer registered with the multicast group as rick has already said.
If you wanted to sniff the entire VLAN (including all Unicast) without being connected to a SPAN port, you need to ARP flood (ARP poison)the switch. This way the CAM table fills up with junk and the switch starts pushing all trafiic down every port.
Port Security would be my first line of defense.
Also this is not exactly a quiet attack, detection should be fairly simple.
Here is a good white paper that explores layer 2 vulnerabilities, and what you can do to protect against them.