1. If you're an admin, you should be able to ping one of the hosts being sniffed and then inspect the arp caches (local and/or switch) to detect the poisoning. No need to sniff to do it.
2. As an admin, you can use port mirroring to sniff, without resorting to cache poisoning. But if the offender poisons the cache with the broadcast MAC address, sniffing the poison packets coming from a specific port is the only way to catch him. Although that *would* be pretty obvious that there was something going on.... David Gillett > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: January 30, 2003 04:52 > To: [EMAIL PROTECTED] > Subject: Sniffing in switched network > > Hello, > > I've read through some documentation about sniffing the > switched network. There are some arp-cache methods to > discover a sniffing host (switched or "normal" network > is not important here I think), if it is the switched > network will I get the result I want, or first I have > to become a sniffer also (i.e. arp-poison the switch > cache) - to get the responses that will tell me who is > the sniffer? > > Most documentation I read is somewhat old (2 years), is > everything aleady well known and described in this > subject or are there any running projects? > > Thanks for help, > > Norbert