Or: Most models of cisco switchen and extreme networks switchen have the option to 'mirror' ports. I'm not that familiar with the cisco side of things, so will focus on the extreme's. You can mirror either a set or all ports on a given switch, to one port on said switch, which can then be 'sniffed' in the usual fashion. so 48 port switch, minus 1 port for the 'mirror' port, leaves you 47 100Mb ports to sniff. On Wed, 30 Jan 2002, Sebastian Jaenicke wrote: > Hi, > > On Wed, Jan 30, 2002 at 10:05:08PM +0000, Jan wrote: > [..] > > how can i sniff upon a switched network segment ? a read some articles about "switch jamming" and "port mirroring" but up to know i didn't learn anything special at all. > > ca some of your guys out there help me ? (i'm sure some of you can but are you willing, too ?) > > > > This can be achieved by flooding the switch with spoofed ARP packets until > its internal MAC table is filled up - most switches will then revert to > "hub mode" and therefore broadcast all traffic to the network where it > can easily be sniffed. > > http://www.sans.org/newlook/resources/IDFAQ/switched_network.htm should > give you some (more accurate?) information. > > Sebastian > -- > Sebastian Jaenicke > whois pgpkey-18AC0BE4at_private|perl -ne's-^certif: +--&&print' > "Object-oriented programming is an exceptionally bad idea which > could only have originated in California." --Edsger Dijkstra >
This archive was generated by hypermail 2b30 : Wed Jan 30 2002 - 15:44:31 PST