Kevin Coyner, 2002-Dec-10 17:31 -0500: > > On Tue, Dec 10, 2002 at 01:47:41PM -0500, sean finney wrote...... > > > heya, > > > > iirc promiscuous mode means to listen to all traffic on the network > > as opposed to only traffic addressed to the mac address of your ethernet > > card. this is real useful for passively sniffing packets on your > > network when you don't want to / can't run it on one of the machines > > in question. > > One question that I've been meaning to ask and this seems to be close to > being on-topic: If you're running a sniffer in promiscuous mode on a > network that is linked together via a switch (as opposed to a hub), will > you still be able to passively capture all packets from all boxes on the > net? Or is that one of the purposes of the switch - to ensure privacy? > Is there any way around this?
You will only see the broadcast and multicast traffic, along with the traffic to and from you system. A switch is a multi-port bridge that forwards traffic at layer 2, based on the destination MAC address. The broadcast traffic is flooded to all ports on the switch while the multicast traffic will do the same unless the switch has some multicast intelligence. This isn't designed for privacy, but rather scalability and performance. It's not good to put more than 100 or so systems on an ethernet segment of hubs (repeaters) since only one systems can transmit at time. The number is debatable, but 100 is a good number to start with. The get around this, you'd need switches that do "port mirroring", but then this feature is limited, e.g. mirroring 16 100MB ports would require 2-3 Gigabit ports to mirror too, and a 4GB backplane to handle the duplication of all the traffic at full load. Typically, you'd mirror server and/or uplink ports, and then only to troubleshoot to study a link. jc -- Jeff Coppock Systems Engineer Diggin' Debian Admin and User -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
