RE: Sniffing in switched network

["David Gillett" <gillettdavid () fhda edu>]

1.  If you're an admin, you should be able to ping one of
the hosts being sniffed and then inspect the arp caches
(local and/or switch) to detect the poisoning.  No need to
sniff to do it.

2.  As an admin, you can use port mirroring to sniff,
without resorting to cache poisoning.  But if the offender
poisons the cache with the broadcast MAC address, sniffing 
the poison packets coming from a specific port is the only 
way to catch him.  Although that *would* be pretty obvious
that there was something going on....

David Gillett


> -----Original Message-----
> From: nork () gazeta pl [mailto:nork () gazeta pl]
> Sent: January 30, 2003 04:52
> To: security-basics () securityfocus com
> Subject: Sniffing in switched network
>
> Hello,
>
> I've read through some documentation about sniffing the
> switched network. There are some arp-cache methods to
> discover a sniffing host (switched or "normal" network
> is not important here I think), if it is the switched
> network will I get the result I want, or first I have
> to become a  sniffer also (i.e. arp-poison the switch
> cache) - to get the responses that will tell me who is
> the sniffer?
>
> Most documentation I read is somewhat old (2 years), is
> everything aleady well known and described in this
> subject or are there any running projects? 
>
> Thanks for help,
>
> Norbert