Hi,
Be careful trying to sniff all packets you can come unglued.
eg, I have a sinffer with a 100Meg card and a switch set to span say 6 ports capable
of 100Meg. All 6 ports talk at the same time simple maths tells me that is 600Meg. I
will drop a bundle of packets to my sniffer. This can cause some heartache if one is
not aware of it happening.
Teunis
Hobart, Tasmania
Australia
On Wednesday, March 21, 2001 at 04:22:01 PM, Allen May wrote:
> You're both right. Normally plugged into the switch you only see traffic
> passing through the port on the switch you're on.
>
> HOWEVER, you can plug into most switches with a special configuration that
> allows a workstation to sniff all packets on that switch. It requires 2
> NICs configured in a specific way and for the switch to support it. Switch
> needs to have VLANs mirrored, a regular TCP/IP port plugged in, and the 2nd
> NIC configured according to documentation of your sniffer.
>
> Here's a link for how Sniffer Pro does it:
> http://www.findarticles.com/cf_0/m0IFW/16_21/54434926/p2/article.jhtml?term=
> See previous page on that article for a little more info.
>
> I did this once and it worked like a charm after I finally gave in & read
> the docs ;)
>
> SO, unless they have access to the switch & VLAN configuration, they can't.
> That is, unless the uplink for the switch has a hub. Then you can see
> anything going into or out of the switch, but not within the switch from
> port-port ;)
>
> Allen
> ----- Original Message -----
> From: "NetEng" <[EMAIL PROTECTED]>
> Newsgroups: groupstudy.cisco
> To: <[EMAIL PROTECTED]>
> Sent: Wednesday, March 21, 2001 3:45 PM
> Subject: Whew! Can you smell that VLan?
>
>
> > We have had a pissing match lately and here's the details. One person
> states
> > that a VLan can not be sniffed because it is on a different subnet. The
> > other person says it can becuase it's physically on the same switch. I
> think
> > you can to a point. Here's what I mean; let's say we have a 3524 with two
> > Vlans, VLAN1 (we'll call it InfoSys), and VLAN2 (called HR). If I have a
> > sniffer running on InfoSys, I should be able to sniff traffic on my subnet
> > as well as traffic from HR to InfoSys (ie HR employee accessing mail
> server
> > on InfoSys), right? The only difference is that the source MAC address
> would
> > change. I should not be able to sniff traffic local to HR (ie an employee
> > accessing accounting software) right? What's the rub?
> >
> >
> >
> >
> > _________________________________
> > FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> >
>
> _________________________________
> FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
>
--
www.tasmail.com
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
