RE: Why can I see other traffic at switch environment just tcpdump?

["Naman Latif" <naman.latif () inamed com>]

I would think that it is the "unknown unicast" traffic. If the switch doesn't find the destination MAC Address in it 
FDB (mac-address table), it will flood all ports in that VLAN with that packet.
If you want to protect the port from getting these messages, use the 
"port block unicast" command in interface-config mode for Cisco Switches.

Regards \\ Naman


> -----Original Message-----
> From: Chris Santerre [mailto:csanterre () MerchantsOverseas com] 
> Sent: Monday, October 21, 2002 1:58 PM
> To: 'SB CH'; security-basics () securityfocus com
> Subject: RE: Why can I see other traffic at switch 
> environment just tcpdump?
>
>
> 2 reasons off the top of my head:
> 1) Port your in is a SPAN port for some reason.
> 2) There is a way to flood a switch with data, forcing it to 
> revert back to a hub. Thus allowing a hacker to map your net. 
>
> If #2 is it, you may have other problems to research :)
>
> -----Original Message-----
> From: SB CH [mailto:chulmin2 () hotmail com]
> Sent: Tuesday, October 08, 2002 10:03 PM
> To: security-basics () securityfocus com
> Subject: Why can I see other traffic at switch environment 
> just tcpdump?
>
>
> Hello, all
>
> I have operated linux server at switch environment,
> and just with tcpdump, I can see some other traffic whic is 
> not related 
> with me without any other tool or trick.
>  
> it means that I can sniff traffic without special sniffing 
> tool at the 
> switch , right? is it possible?
> but it's ture.
>
> for example, 
>
> # tcpdump port 80
> 15:03:42.681171 eth0 P 211.47.130.114.1131 > 211.47.1.55.www: S 
> my system has no relations with 211.47.130.114 or 
> 211.47.1.55. just switch connected together with 211.47.1.55.
>
>
> Thanks in advance.
>
>
>
>
>
>
> _________________________________________________________________
> MSN Messenger¸¦ ´Ù¿î·ÎµåÇÏ¿© ¿Â¶óÀÎ»ó¿¡ Àִ ģ±¸¿Í ´ëÈ­¸¦ ³ª´©¼¼¿ä. 
> http://messenger.msn.co.kr