There are articles on the SecurityFocus website I belive that have mentioned the issue of port spanning.
There are also multiple articles about creating "one-way" connection cables for use with IDSes. I believe that if you can afford the spend for a switch that has a tap port specifically dedicated for something like this, than it is better that you use that. Going with a spanned port strategy may limit your expandability in the future.
And in reply to the last post..I don't belive that many administrators are even allowed to sniff traffic. So how you tackle this advice is up to you.
Some previously mentioned into about Ettercap:
Ettercap requires that you use arp poisoning on a switch to sniff traffic. The reason is that a "truly switched" environment runs on its internal arp table, and redefining the arp table in a specific manner will cause a MITM (Man in the middle) attack to occur.
Some list members on SecurityFocus have already downplayed this strategty on use for large networks, and I so too believe that it could introduce multitides of performance related problems into a big network.
Ettercap is a good tool for research purposes, but I think that its effects could hurt a corportate network big time. Also, it may trip your IDS into believing that an attack is going on, whereas it is only you switching up your arp tables. If you have multiple administrators at your locale, than this could end up defeating an IDS solution pretty much.
So i'm pretty against sniffing up a network, administrator or no administrator.
But..If you're into this for the research (i've set my foot into this field writing papers on privacy)..If you're looking to test packet injection, I suggest the use of packit (the author or somebody related just released a new version), it is very highly configurable, and is very customizable.
From: "cpmurphyiii" <[EMAIL PROTECTED]>
To: "'Brad Davenport'" <[EMAIL PROTECTED]>,<[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
Subject: RE: sniffing packets on a switch
Date: Wed, 12 Mar 2003 21:09:18 -0500
Brad,
You can try to use ettercap. It can be found at http://freshmeat.net/projects/ettercap/?topic_id=150%2C43. Very good utility. Set up a MITM PC running Linux. You will sniff all nodes on the segment. The tool even offers an ARP poisoning option, which will allow you to interject your own packets into the transmission.
-----Original Message----- From: Brad Davenport [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 11, 2003 1:19 PM To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED] Subject: RE: sniffing packets on a switch
On Cisco's switches you can use the SPAN feature to send a mirror of data received on a given port to another port.
IE, your firewall port is spanned to another switchport to allow your IDS to sample all incoming data destined for the trusted net.
--BD
-----Original Message----- From: David Gillett [mailto:[EMAIL PROTECTED] Sent: Monday, March 10, 2003 11:02 AM To: [EMAIL PROTECTED] Subject: RE: sniffing packets on a switch
Do you know what kind of problems?
The most obvious problem with doing this is that, by default, your sniffer machine's port on the switch will only be sent traffic that is either broadcast, or addressed specifically to the sniffer host. Most switches offer a way that the switch administrator can direct that traffic for one or more other ports be copied to the sniffer's port. That's not a sniffer program issue.
There *are* ways to try that may make this happen if you don't have administrative access to the switch, and there might even be some tools around that automate such measures. But on most well-run networks, people without admin access to things like switches are also not authorized to be running sniffers, so let's not go there in a public forum....
David Gillett
> -----Original Message----- > From: Scott Borre [mailto:[EMAIL PROTECTED] > Sent: March 7, 2003 15:55 > To: [EMAIL PROTECTED] > Subject: sniffing packets on a switch > > > I am interested in what people recommend using to > sniff packets on a switch. I have heard that TCPdump > has some problems doing this. Thank you ahead of the > time for any assistance.
_________________________________________________________________
The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail
