On Wed, 26 Jun 2002, Jason DeWitt wrote: > if I am wrong, but this is my thinking. If you have three machines on a > switch. Machine one is running pop3 or ftp(something with sniffable > passwords), machine two is sending requests to machine one. and machine > three is running a sniffer. Since we are on a switch, any requests sent > from machine two to machine one would not be broadcast on all ports, > just to the port where machine one is connected. Therefore if the > packets are not send to the port where machine three is hooked up, how > can it sniff the contents of said packets? > > was that confusing enough?
You can send ethernet frames from machine 3 with a spoofed MAC address of machine 1. Depending on the type of switch, it may get confused and send the packets to machine 2 AS WELL AS machine 3. Also the switch has a limited number of entries in its bridge table depending on how much memory it as. Once the bridge table is full, most switches will simply just start acting like a dumb hub, since it has no room to record any new entries in the table. So from machine 3, if you send 15 or 20,000 frames with spoofed MAC addresses through the switch, it may start acting like a hub. So it's a little harder to sniff a switch, but it's still possible. -Ray -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Ray DeJean http://www.r-a-y.org Systems Engineer Southeastern Louisiana University IBM Certified Specialist AIX Administration, AIX Support =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
