Firewalls: Re: huh? switch hitter? (fwd)

Firewalls
(August 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re: huh? switch hitter? (fwd)
From:	Ryan Mooney <ryan @ pcslink . com>
Date:	Wed, 14 Aug 1996 10:48:58 -0700 (MST)
To:	hopkins @ icrf . icnet . uk (John Hopkins)
Cc:	firewalls @ greatcircle . com
In-reply-to:	<Pine . 3 . 89 . 9608140947 . A16353-0100000 @ callisto . lif . icnet . uk> from "John Hopkins" at Aug 14, 96 09:55:39 am

Some do, most however have a switch probe port (which is slightly 
different) into which you plug the probe..  Its not an ethernet
port at all (not sure if there's  a standard to be honest but most
look like a DB25 connector).  The probes can be packet analyzers/tracers
(local or remote, usually RMON nowdays), or they can be just statistical 
analyzers or some combination thereof.  The difference between a common
port an a probe port is that you can "program" the probe port to allow you 
to see different segments and traffic types.  This makes a LOT of sense 
when you start talking about the larger switches that are becoming more
common, as they have hundreds of Mbs of backplane (sometimes Gbps) and
to have ALL that traffic go out one port is to much traffic for any
protocol analysis tool (or other end point for that matter) to
handle in a timely fashion.  The problem (problem? I guess thats the word)
is that switches are mostly MUCH to fast nowdays for simple analysis
tools, and require smarter switch aware monitoring tools


> I think that a lot of ethernet switches also have a common port that can
> see all the traffic on the other ports if required.
> 
> J.
> 
> On Wed, 14 Aug 1996, Ryan Mooney wrote:
> 
> > 
> > You only can't sniff across switched ports.
> > 
> > ie:
> > 
> > -----seg1-------+----------+
> >                 |          |
> > -----seg2-------+          |
> >                 | Switch   |
> > -----seg3-------+          |
> >                 |          |
> > -----seg4-------+----------+
> > 
> > In this scenario if you are on seg1 and traffic is going from seg2 to
> > seg3 you never see it.  You would of course be able to see any traffic
> > on seg1, but thats it (except for broadcast packets and the like).
> > Saying that switched ethernet can't be sniffed is somewhat of a misnomer
> > as each virtual segment usually has more than one system on it and
> > any one of those systems could theoretically snoop any traffic on that
> > segment.  I think this is really simple common sense once you look at what
> > the switch is really doing... and what machines are where.  There are
> > of course ways to capture all data going across the switch with things
> > like switch probes and the like, these do however have to be installed,
> > and left open for evil bad dude to use in his copious spare time.
> > 
> > > 
> > > excuse my ignorance or lack or research, yet...
> > > 
> > > what makes switched ethernet unable to be snarfed....
> > > 
> > > --->
> > > Robert H. Hanson           LAN/WAN Consultant - Internet Service Provider
> > > Otis Orchards, Wa.         Cutting Edge Communications        www.cet.com
> > > (509) 927-9541             finger: info @
 cet .
 com or email: roberth @
 cet .
 com
> > > 
> > > 
> > > 
> > > On Wed, 14 Aug 1996, Bernd Eckenfels wrote:
> > > 
> > > > Hi,
> > > > 
> > > > > We did   We captured all the X25 packets then opened them up   There was
> > > > > IBM SNA data going through the X25   Looked like a database update   
> > > > > There was mail going through   Boring stuff about various shipments
> > > > > And there was a trickle of teletype
> > > > 
> > > > what kind of X.25 Connection is this? Generally X.25 is not used on
> > > > broadcast mediums, only with point-to-point links to the switches. (You can
> > > > compare it to switched ethernet, where ethernet sniffing is impossible,
> > > > too).
> > > > 
> > > > Greetings
> > > > Bernd
> > > > -- 
> > > >   (OO)      -- Bernd_Eckenfels @
 Wittumstrasse13 .
 76646Bruchsal .
 de --
> > > >  ( .. )  ecki @
 lina .
 {inka .
 de,ka.sub.org}  http://home.pages.de/~eckes/
> > > >   o--o     *plush*  2048/A2C51749  eckes @
 irc  +4972573817  *plush*
> > > > (O____O)       If privacy is outlawed only Outlaws have privacy
> > > > 
> > > 
> > > 
> > 
> > -------------------------------------------------------------------------------
> > Ryan Mooney                  ryan @
 pcslink .
 com           
> > Systems Engineer
> > Phoenix Computer Specialists Internet Provider     "Illuminate The Opposition!"
> > Phone (602)265-9188          Fax (602)265-9357        -- Adam Weishaupt
> > proud member of AAAAAA - American Association Against Acronym Abuse Anonymous.
> > --------------------------------------------------------------------------------
> > 
> 

-------------------------------------------------------------------------------
Ryan Mooney                  ryan @
 pcslink .
 com           
Systems Engineer
Phoenix Computer Specialists Internet Provider     "Illuminate The Opposition!"
Phone (602)265-9188          Fax (602)265-9357        -- Adam Weishaupt
proud member of AAAAAA - American Association Against Acronym Abuse Anonymous.
--------------------------------------------------------------------------------

References:

Re: huh? switch hitter? (fwd)
From: John Hopkins <hopkins @ icrf . icnet . uk>

Indexed By Date	Previous:	Re: NT Firewalling From: peter @ baileynm . com (Peter da Silva)
Indexed By Date	Next:	Re: huh? switch hitter? (fwd) From: Ryan Mooney <ryan @ pcslink . com>
Indexed By Thread	Previous:	Re: huh? switch hitter? (fwd) From: John Hopkins <hopkins @ icrf . icnet . uk>
Indexed By Thread	Next:	Re: huh? switch hitter? (fwd) From: robw @ marineterminals . com (Robert Williams)