Firewalls: huh? switch hitter? (fwd)

Firewalls
(August 1996)

Indexed By Thread: [Previous] [Next]

Subject:	huh? switch hitter? (fwd)
From:	Ryan Mooney <ryan @ pcslink . com>
Date:	Wed, 14 Aug 1996 00:25:26 -0700 (MST)
To:	firewalls @ GreatCircle . COM
Cc:	roberth @ cet . com

You only can't sniff across switched ports.

ie:

-----seg1-------+----------+
                |          |
-----seg2-------+          |
                | Switch   |
-----seg3-------+          |
                |          |
-----seg4-------+----------+

In this scenario if you are on seg1 and traffic is going from seg2 to
seg3 you never see it.  You would of course be able to see any traffic
on seg1, but thats it (except for broadcast packets and the like).
Saying that switched ethernet can't be sniffed is somewhat of a misnomer
as each virtual segment usually has more than one system on it and
any one of those systems could theoretically snoop any traffic on that
segment.  I think this is really simple common sense once you look at what
the switch is really doing... and what machines are where.  There are
of course ways to capture all data going across the switch with things
like switch probes and the like, these do however have to be installed,
and left open for evil bad dude to use in his copious spare time.

> 
> excuse my ignorance or lack or research, yet...
> 
> what makes switched ethernet unable to be snarfed....
> 
> --->
> Robert H. Hanson           LAN/WAN Consultant - Internet Service Provider
> Otis Orchards, Wa.         Cutting Edge Communications        www.cet.com
> (509) 927-9541             finger: info @
 cet .
 com or email: roberth @
 cet .
 com
> 
> 
> 
> On Wed, 14 Aug 1996, Bernd Eckenfels wrote:
> 
> > Hi,
> > 
> > > We did   We captured all the X25 packets then opened them up   There was
> > > IBM SNA data going through the X25   Looked like a database update   
> > > There was mail going through   Boring stuff about various shipments
> > > And there was a trickle of teletype
> > 
> > what kind of X.25 Connection is this? Generally X.25 is not used on
> > broadcast mediums, only with point-to-point links to the switches. (You can
> > compare it to switched ethernet, where ethernet sniffing is impossible,
> > too).
> > 
> > Greetings
> > Bernd
> > -- 
> >   (OO)      -- Bernd_Eckenfels @
 Wittumstrasse13 .
 76646Bruchsal .
 de --
> >  ( .. )  ecki @
 lina .
 {inka .
 de,ka.sub.org}  http://home.pages.de/~eckes/
> >   o--o     *plush*  2048/A2C51749  eckes @
 irc  +4972573817  *plush*
> > (O____O)       If privacy is outlawed only Outlaws have privacy
> > 
> 
> 

-------------------------------------------------------------------------------
Ryan Mooney                  ryan @
 pcslink .
 com           
Systems Engineer
Phoenix Computer Specialists Internet Provider     "Illuminate The Opposition!"
Phone (602)265-9188          Fax (602)265-9357        -- Adam Weishaupt
proud member of AAAAAA - American Association Against Acronym Abuse Anonymous.
--------------------------------------------------------------------------------

Follow-Ups:

Re: huh? switch hitter? (fwd)
From: John Hopkins <hopkins @ icrf . icnet . uk>

Indexed By Date	Previous:	Re: huh? switch hitter? From: lists @ lina . inka . de (Bernd Eckenfels)
Indexed By Date	Next:	drawbridge HW/SW From: Peter Lackner <plo @ came . sbg . ac . at>
Indexed By Thread	Previous:	RE: No More Unlimited User Licenses Please... From: Chris Pugrud <ChrisP @ steldyn . com>
Indexed By Thread	Next:	Re: huh? switch hitter? (fwd) From: John Hopkins <hopkins @ icrf . icnet . uk>