Firewalls: Re: Network Sniffer

Firewalls
(May 1994)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Network Sniffer
From:	Mark Fullmer <maf @ cob . ohio-state . edu>
Date:	Tue, 24 May 1994 10:48:41 -0400 (EDT)
To:	Firewalls @ GreatCircle . COM
Reply-to:	maf+ @ osu . edu

Eric .
 Vyncke @
 csl .
 sni .
 be writes:

>3) it is _IMPOSSIBLE_ to receive frames transmitted on a Ethernet segment 
>which is not local (my Sniffer in Belgium cannot receive your Ethernet 
>frames!) or which is repeated. Obvious exceptions: if the frame is bridged 
>to the destination via the LAN segment where the sniffer is tapped _OR_ if 
>the frame is routed (IP, DECnet, ...) via the LAN segment where the sniffer 
>is tapped.

Many bridges can have their learn tables faked into letting through traffic..

Exceptions are bridges that have a learn table lockdown, or a reasonably 
long timeout before re-learning a mac address.

Even with a learn table lockdown, if you are using a bridge to isolate 
traffic for security reasons, that bridge should somehow log (ie syslog, 
snmp trap, etc) when an mac address switches ports.

-- 
mark
maf+ @
 osu .
 edu

Indexed By Date	Previous:	Advice on Firewall Politics From: francis @ avalle . insoft . com (John [Francis] Stracke)
Indexed By Date	Next:	Firewalling a university. (Advice on Firewall politics) From: yerkes_chuck @ jpmorgan . com
Indexed By Thread	Previous:	Re: Network Sniffer From: Eric . Vyncke @ csl . sni . be (Eric Vyncke)
Indexed By Thread	Next:	Re[2]: Network Sniffer From: "Rhett, Joe" <JRhett @ sextantgroup . com>