SB CH wrote: > I have operated linux server at switch environment, > and just with tcpdump, I can see some other traffic whic is not > related with me without any other tool or trick. > > it means that I can sniff traffic without special sniffing tool at the > switch , right? is it possible? > but it's ture. Without the use of special tools (hunt etc) switches will send traffic to ports the destination is NOT on in a few different circumstances. - You're on a monitor port that has been set to receive copies of other traffic (so you'll receive all traffic to/from ports that are being monitored), - The switch doesn't know which port a destination device is on so it sends (floods) the packet out all ports (so you should only see the first couple of packets in a connection), - The bridging table of the switch is full so it gives up and floods the traffic (so your reception could be unreliable). - Changing spanning tree topologies. - All switches seem to leak a bit so you do see the odd packet you shouldn't. Probably more likely if it's busy??? and probably others. Switches filter traffic for performance reasons, any security benefits are a (very) small unreliable bonus. > for example, > # tcpdump port 80 > 15:03:42.681171 eth0 P 211.47.130.114.1131 > 211.47.1.55.www: S my > system has no relations with 211.47.130.114 or 211.47.1.55. > just switch connected together with 211.47.1.55. Darryl Luff dluffat_private ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Oct 09 2002 - 15:35:12 PDT