You can sniff token-ring networks. The Sniffer product sends out a MAC frame
that indicates that an adapter is running in promiscuous mode and this MAC
frame can be picked up by token-ring managers that are monitoring for this
type of activity. If the manager is configured to send a MAC frame to stop
monitoring, the Sniffer will comply with that request and shut down the
card. This is why some people think that you cannot monitor a token-ring
network, because there is a manager that sends out this MAC frame.
If the adapter is configured in promiscuous mode the card will copy all
traffic off the incoming frames as well as resend them to the next node.
Sniffing a token-ring and understanding all of the MAC and LLC functions is
quite a task without a good decoder like the Sniffer. There are a lot of
troubleshooting and diagnostic frames sent around the token ring network.
One of the most useful is the Active Monitor Present and Standby Monitor
Present frames. Using this sequence you get a map of the token-ring cards
and you can determine where fault domains are in the event of a failure by
having recorded the physical layout of the ring during any add, move or
change. The ring poll failure message indicates that this sequence was not
completed in 7 seconds. If this error occurs you will need to know the
physical layout of the ring and the output of the AMP and SMP frames. I have
used the Sniffer ALOT in my day and the troubleshooting of the token-ring
network without it is really quite time consuming.
Lance
----- Original Message -----
From: "Oscar Rau" <[EMAIL PROTECTED]>
To: "Firewalls" <[EMAIL PROTECTED]>
Sent: Friday, April 28, 2000 7:49 AM
Subject: Token Ring LAN
> I know you cannot sniff on a Token Ring LAN. Can it TR host been spoofed?
>
> Are there any known security vulnerabilities in a Token Ring LAN?
>
> Thank you in advance.
> --
>
> Oscar Rau
> [EMAIL PROTECTED]
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
