Home page logo

basics logo Security Basics mailing list archives

RE: Caching a sniffer
From: "Burton M. Strauss III" <BStrauss () acm org>
Date: Wed, 24 Mar 2004 12:54:31 -0600

<snip />

In essence if you flood the MAC table of a switch the switch will turn
into a hub, thus "disabling the switch component of the ports".

Of course, that's not necessarily true.  The behavior of a switch when the
MAC address table is exceeded is not defined by any standard, nor is it
often specified by the manufacturer.

I can think of at least four behaviors, each of which would give different
results to the end user.

1. Dump the entire MAC table.  Switch acts as if power on reset just

2. Stop learning.  All previously learned MAC addresses remain, and so only
traffic for unrecognized MAC addresses gets sent to all ports.

3. Partial Purge of table.  Some portion of the table gets purged and the
switch continues, treating those purged MAC addresses as if this was the
first time they were seen.  Depending upon how the purged addresses are
selected - oldest first, youngest first, random, lowest MAC addresses,
highest MAC addresses or something else - will cause the switch to act
differently for different users.

4. Shutdown port - assume hostile intent and stop forwarding traffic.

Further note that some Manufacturers have per-port tables, others have a
single global tables and some (10/100 switches) may have a 10BaseT table and
a 100BaseT table, so the behaviors above could have other 'flavors'.

Do I know of which switches do what?  Nope.  But we should ALL have learned
the lessons of depending upon undocumented behaviors and unspecified
conditions with Y2K.

Somebody said this earlier in the thread.  To rephrase... If you have a
business need to do this, you should be buying gear that allows you to do it
in a controlled AND understood manner.

You could argue that turning on SPAN/Port Mirroring is also disabling
the 'switch' part of that concerned port.

SPAN/Port Mirroring/Roving Analysis Port(3Com) is intentional and controlled
by the administrator.  Also, how the port handles traffic in excess of it's
capacity (say you are monitoring 3 100BaseT ports out a single 100BaseT
port), is completely Mfg dependent and undocumented.

<snip />


Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]