I can say that I've seen plenty of SMTP traffic going to/from the WBR Parish Sheriff's Dept. account from my internet-pointing interface. Maybe the switch ports are getting flooded by all the worm traffic and defaulting back to broadcasting everything.
On Tue, 2003-09-09 at 10:28, Scott Harney wrote: > Dustin Puryear <[EMAIL PROTECTED]> writes: > > > >>Look at the source and destination addresses. The shared-media aspect of > >>cable means you pretty much see all your neighbors' traffic, including > >>arp broadcasts. If it's much higher than normal, and you're seeing an > > > > I don't think this is totally accurate. From what I've seen only > > broadcast traffic can be seen by others. Unicast traffic can't be so > > easily sniffed. I know in the past that what you just said was > > accurate, but not any more. Scott? > > You're right, dustin. To sniff unicast traffic, you need to poison > the ARP cache like you might on an ethernet switch. the dsniff suite > of tools can do this (Don't DO it on your cable modem unless you > actually work for Cox/Charter/whatever. Do try it on a switched > ethernet LAN that you own as it is educational.) > > It's easiest to think of DOCSIS cable connections as being similar > to being plugged into an ethernet switch. > > > > Maybe it's a DHCP problem. :) > > maybe. I haven't turned snort on my obsd box in New Orleans to > see if we're getting the same thing. There's so much ARP traffic > on my segment that my activity light is mostly solid these days > anyway.
