Home page logo

basics logo Security Basics mailing list archives

RE: Caching a sniffer
From: "David Gillett" <gillettdavid () fhda edu>
Date: Thu, 25 Mar 2004 08:06:09 -0800

-----Original Message-----
From: Fernando Gont [mailto:fernando () gont com ar]
Sent: Wednesday, March 24, 2004 2:27 PM
To: gillettdavid () fhda edu; security-basics () securityfocus com
Subject: RE: Caching a sniffer

At 08:58 24/03/2004 -0800, David Gillett wrote:

  I presume that some switches, faced with something like 
macoff, will
overflow the table such that legitimate addresses that 
should have been
learned start flooding to all ports as well.
  But this is not the only possible reaction of a switched 
network to
macoff!  If Cisco's port security is enabled, the switch may 
just shut
down the port running macoff.

How does it detect this? By realizing that frames from a 
given port come 
from several different MAC source addresses?

  Exactly.  The configurable parameters for port security are:

1.  Maximum number of different source MAC addresses to be seen
    from this port.

2.  Action to be taken (alert, or shutdown port) when this limit
    is exceeded.

David Gillett

Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]