Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Switch & sniffer

Can someone please clarify for me.

If you are part of a vlan and someone on that same vlan installs a packet sniffer, will he be able to see traffic other users on the vlan are sending ?

I know about SPAN and how it works but please clarify the above for me. Is there any way to hack it, so a user that does not have access to the switch administration to be able to sniff out other user packets on same vlan?

14 REPLIES
New Member

Re: Switch & sniffer

Yes, he can.. If you run a sniffer software on your PC, you should be able to sniff the network and see other users traffic.. I do that all the time!

Hall of Fame Super Silver

Re: Switch & sniffer

AHMED

Are you saying that your PC is connected to an access port, not configured as a SPAN or MONITOR port, and that you can see traffic for other users? Are you connected to a hub instead of a switch? The operation of a switch is that it will deliver unicast frames only to a port on which the destination MAC is located and to SPAN or MONITOR ports. So how is your PC seeing the other traffic?

HTH

Rick

Hall of Fame Super Silver

Re: Switch & sniffer

Sparky

Assuming that their port is configured as an access port and not a trunk, if someone within your VLAN installs a sniffer, they will see any multicast/broadcast traffic in the VLAN and will see any unicast traffic for their port. But they will not see unicast traffic for other ports.

HTH

Rick

bjw Silver
Silver

Re: Switch & sniffer

Yup,

Physical security can be a tough creature. With Net Gen Sniffer, you can disable tcp/ip on your nic and use a sniffer driver to "transparently" sniff traffic on a VLAN/Network Segment without being subject to port MAC security.

New Member

Re: Switch & sniffer

So it is possible to sniff out other user unicast packets on the same vlan without the use of SPAN?

bjw Silver
Silver

Re: Switch & sniffer

As rburts mentioned above, unicast packet traffic in a SWITCH is discriminated to only the port it's destined to, but all multi-cast/broadcast traffc + unicast directly to/from the port the "sniffer" might be connected to, can be seen.

Hall of Fame Super Silver

Re: Switch & sniffer

Bill

Disabling tcp/ip on the nic and doing "transparent" sniffing works well on a hub or similar environment. But without getting into questions of port MAC security, how do you get the switch to send unicast frames to a port that does not have the destination MAC on it?

[edit: while I was typing my response Bill posted another response and I believe that we are saying pretty much the same thing. In a hub type of environment you can do transparent sniffing and see traffic for many end stations but in a switch environment you do not see unicast frames for other MAC addresses. Since Sparky asked his question in the context of VLAN membership I assume that a switch environment was intended.

Now maybe we can get AHMED to clarify what he meant about sniffing on switch ports.]

HTH

Rick

New Member

Re: Switch & sniffer

Ok so switches provide better security than hubs. Now is there any way to setup security on the switchport so that you cannot view other user multicast traffic ?

Hall of Fame Super Silver

Re: Switch & sniffer

Sparky

Use of CGMP and of IGMP snooping can reduce the amount of multicast sent to switch ports. But NO there is not any way that you can prevent a sniffer on one port from seeing multicast of another port. Ultimately if the PC with the sniffer registers for the multicast group, then the switch will send the multicast traffic to the switch port with the sniffer.

HTH

Rick

Hall of Fame Super Blue

Re: Switch & sniffer

Hi

Depending on your switch you can use the "switchport block multicast" command. This will stop unknown multicast traffic being sent on that port.

However this would not stop multicast being sent down that port if the sniffer registered with the multicast group as rick has already said.

HTH

Jon

New Member

Re: Switch & sniffer

If you wanted to sniff the entire VLAN (including all Unicast) without being connected to a SPAN port, you need to ARP flood (ARP poison)the switch. This way the CAM table fills up with junk and the switch starts pushing all trafiic down every port.

New Member

Re: Switch & sniffer

Jim,

Is there anyway to protect against this flood?

New Member

Re: Switch & sniffer

Port Security would be my first line of defense.

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/12_1e/swconfig/port_sec.htm

Also this is not exactly a quiet attack, detection should be fairly simple.

Blue

Re: Switch & sniffer

Here is a good white paper that explores layer 2 vulnerabilities, and what you can do to protect against them.

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml

379
Views
3
Helpful
14
Replies
CreatePlease login to create content