Ethernet adapter in promiscuous mode on switched ethernet?

Ethernet adapter in promiscuous mode on switched ethernet?

Post by Kris Kielhofn » Thu, 10 Jan 2002 03:53:21



I have always wondered, what happens when you put an ethernet adapter
that is on a switched LAN into promiscuous mode (as with tcpdump),
does it still recieve all of the LAN's ethernet traffic?  I would
think that it wouldn't as the switch wouldn't know to send data to
that MAC address that is destined for another.  Am I right on this?

Thanks,
Kris

 
 
 

Ethernet adapter in promiscuous mode on switched ethernet?

Post by jose » Thu, 10 Jan 2002 04:21:04



> I have always wondered, what happens when you put an ethernet adapter
> that is on a switched LAN into promiscuous mode (as with tcpdump),
> does it still recieve all of the LAN's ethernet traffic?  I would
> think that it wouldn't as the switch wouldn't know to send data to
> that MAC address that is destined for another.  Am I right on this?

you're right. you have to alter the switch somehow or fool it. the
proper way is to set the port you're on to monitor or spanning or
reflector mode (vendors call it different things). this is the idea of
having one port see all the traffic the switch sees, useful for
debugging or monitoring a segment.

the other options are to flood the switch with false MAC addresses (see
dsniff's macof tool) to have it flood its tables and revert to
forwarding all traffic to all ports or to arpspoof the target you wish
to observe so the switch will send the data to two ports and not just
one.



 
 
 

Ethernet adapter in promiscuous mode on switched ethernet?

Post by Derick Siddow » Thu, 10 Jan 2002 04:21:56



Quote:> I have always wondered, what happens when you put an ethernet adapter
> that is on a switched LAN into promiscuous mode (as with tcpdump),
> does it still recieve all of the LAN's ethernet traffic?  I would
> think that it wouldn't as the switch wouldn't know to send data to
> that MAC address that is destined for another.  Am I right on this?

You are correct.  Sniffing only works on shared segments, such as
on cheapnet or a hub.

--
Derick Siddoway      II. Impact    Non-privileged primitive users can

                     fleet and gain unauthorized access to files.
                     -- CERT Advisory CA-96.13

 
 
 

Ethernet adapter in promiscuous mode on switched ethernet?

Post by Berk S. Daemo » Thu, 10 Jan 2002 04:35:41



Quote:> I have always wondered, what happens when you put an ethernet adapter
> that is on a switched LAN into promiscuous mode (as with tcpdump),
> does it still recieve all of the LAN's ethernet traffic?  I would
> think that it wouldn't as the switch wouldn't know to send data to
> that MAC address that is destined for another.  Am I right on this?

> Thanks,
> Kris

Won't listen to all traffic other than the 'port' you're on.

Although, if you want to sniff a switched environment, check out dsniff's
suite of tools. Developed by Dug Song,  www.monkey.org/~dugsong/dsniff/ I
believe is the URL. He's one of the OpenBSD developers, so on his ftp he has
lots of goodies too.

There are various ways to sniff switched network, and people who believe
switched networks are more secure, are simply wrong.

Regards!

 
 
 

Ethernet adapter in promiscuous mode on switched ethernet?

Post by jp » Thu, 10 Jan 2002 05:03:55


On Tue, 08 Jan 2002 19:35:41 GMT,

[SNIP]

Quote:> There are various ways to sniff switched network, and people who believe
> switched networks are more secure, are simply wrong.

I believe switched networks make sniffing slightly more difficult. Just not
that much. IMU, it does, make a sniffer more visible. Which is worth
something for people that want to detect sniffers.

--
  j p d (at) d s b (dot) t u d e l f t (dot) n l .

 
 
 

1. Promiscuous mode ethernet adapters

The 3COM 3C509 with the correct driver will support prom. mode.  It is
required for Lanalyzer for Windows.
scd

____________________________________
Stephen C. Dickey
Corbett Systems Development
PO Box 2347
Colorado Springs, CO  80901-2347

303.674.0700 voice
719.520.9092 voice
719.633.8594 fax



____________________________________

2. linux flavor?

3. Ethernet interface in promiscuous mode without ip adress.

4. RSA Authentication on ssh

5. Network Promiscuous Mode Ethernet Detector software?

6. Is server speed adjustable?

7. ethernet card in promiscuous mode with aDSL routers

8. Turning off ethernet promiscuous mode (Was: [SUMMARY] identd for Indy/IRIX 5.3)

9. PCMCIA Ethernet & promiscuous mode

10. Ethernet card promiscuous mode

11. Sun ethernet in promiscuous mode? Really?

12. Turning off ethernet promiscuous mode