job.answiz.com
  • 4
Votes
name
name Punditsdkoslkdosdkoskdo

Why does network sniffing software work over the switch?

We have several of standard non-managed 3com switches in a network. I thought switches were supposed to only send packages between peers of a connection.

However it appears network sniffing software running on a computer attached to one any one of the switches is able to detect traffic (ie youtube video streaming, web pages) of other host computers attached to other switches on the network.

Is this even possible or is the network thoroughly broken?

Packet sniffing may sound like the latest street drug craze, but it's far from it. Packet sniffers or protocol analyzers are tools that are commonly used by network technicians to diagnose network-related problems. Packet sniffers can also be used by hackers for less than noble purposes such as spying on network user traffic and collecting passwords.

Let's take a look at what a packet sniffer is and what it does:

Packet sniffers come in a couple of different forms. Some packet sniffers used by network technicians are single-purpose dedicated hardware solutions while other packet sniffers are software applications that run on standard consumer-grade computers, utilizing the network hardware provided on the host computer to perform packet capture and injection tasks.

  • 2
Reply Report

By their function, a switch will only forward packets to the port where the destination computer (identified by it's MAC address) is. For this reason, they are said to mitigate sniffing attack.

However, switches are not security devices but network devices. In order to know where a specific computer is, they have to learn where they are. For this, they read the MAC address of computer in the different packets that goes through them. When possible they will assign MAC to a specific port and continue to forward traffic related to this MAC to this specific port only. Due to the protocol, you can take advantage of this by performing ARP poisoning, confusing the switch which ultimately will continue to operate as a simple hub, forwarding all traffic to all ports. With this attack, one can still perform sniffing.

  • 2
Reply Report

To complete David's answer, a switch learns who is behind a port by looking at the MAC addresses of packets received on that port. When the switch is powered on, it knows nothing. Once device A sends a packet from port 1 to device B, the switch learns that device A is behind port 1, and sends the packet to all ports. Once device B replies to A from port 2, the switch only sends the packet on port 1.

This MAC to port relationship is stored in a table in the switch. Of course, many devices can be behind a single port (if a switch is plugged in to the port as an example), so there may be many MAC addresses associated with a single port.

This algorithm breaks when the table is not large enough to store all the relationships (not enough memory in the switch). In this case, the switch loses information and begins to send packets to all ports. This can easily be done (now you know how to hack your network) by forging lot of packets with different MAC from a single port. It can also be done by forging a packet with the MAC of the device you want to spy, and the switch will begin sending you the traffic for that device.

Managed switches can be configured to accept a single MAC from a port (or a fixed number). If more MACs are found on that port, the switch can shutdown the port to protect the network, or send a log message to the admin.

EDIT:

About the youtube traffic, the algorithm described above only works on unicast traffic. Ethernet broadcast (ARP as an example), and IP multicast (used sometimes for streaming) are handled differently. I do not know if youtube uses multicast, but it might be a case where you can sniff traffic not belonging to you.

About web page traffic, this is strange, as the TCP handshake should have set the MAC to port table correctly. Either the network topology cascades a lot of very cheap switches with small tables that are always full, or somebody is messing with the network.

  • 4
Reply Report