Switch/Hub

[anban]

A switch would start working like a hub when it has more information than what it can handle.

1. Please tell me the categories of switches? Manged and so..

2. By using software like etheral will a manged switch become a hub?

Thank you.

[cheyenne1212]

A switch would start working like a hub when it has more information than what it can handle.

Your basic switch just looks at the address part of the packet to foward it to the correct Computer. The hub just sends it to every computer, and only the computer that the packet is meant for gets it.

If you "DOS" a switch, or switch has more information than it can handle, it doesn't act like a hub, it just get slow or crashes.

Categories of switches.

Un-managed switches:
Un-managed switch has no administration capability at all. Only thing it does is as I described above. It forwards packets to the correct computers.

Managed Switches:
A managed switch allows you to actually configure the switch. Usually done through a Web console. I know on Cisco switches you can telnet into them and configure them via the CLI.

Layers of switcches

Layer2 Switch:
A layer 2 switch operates on the Layer 2 level of the OSI model. It switches packets based on their MAC address.

Layer3 Switch:
A Layer 3 switch operates on the layer 3 level of the OSI model. This switch forwards packets based on the IP address of the destination found inside the packet.

Layer 4 switch:
A layer 4 switch allows you to filter traffic on your network. You can dis-allow certain protocols from reaching certain areas of a network. Layer 4 Switching is used a lot of times in Load balancing enviroments. Layer 4 switchign can also provide QoS server or quality of service which is used a lot in Voice over IP applications.

If your unsure of what the OSI model is I'll explain it to you.

also negative wrote a nice tutorial on this to you can find it here
http://www.antionline.com/showthread...hreadid=108374

The OSI model consists of 7 layers. The OSI model is the standard on how data is sent and recieved on a network. It goes through the following steps.

Theres a good video on this I'll try to find it.

Layer 1. Physical -- Means of transporting the data. Sends data on a medium
Layer 2. Data link -- Here packets are transformed into bits. This layer also handles errors
Layer 3. Network -- This is the layer that does the routing or switching of packets.
Layer 4. Transport -- As you might of guessed, this layer ensures teh data reaches its destination.
Layer 5. Session -- This layer establishes and manages connections between applications
Layer 6. Presentation -- This layer is what encrypts/decrypts the data to make it readable.
Layer 7. Application -- This layer would be the actual application part that you would use. FTP, www, telnet, ssh etc.

2. By using software like etheral will a manged switch become a hub?

All ethereal does is capture network traffic from and to your computer. If you use a switch it would not be effictive as it would not catch all data since in a switched network data only goes to the computer that is requesting it unlike a hub.

If you were to install ethereal on your computer, and you used a hub instead of a switch, then you would be able to view all network traffic with ethereal.

If your needing to see traffic coming into your network just set up ethereal on a computer and have all traffic going into the switch pass through the computer with ethereal on it.

For example

Internet
|
|
Router/Firewall
|
|
Computer with Ethereal
|
|
network Switch


Hope this helps you some.

[HTRegz]

Hey Hey

A switch would start working like a hub when it has more information than what it can handle.

Your basic switch just looks at the address part of the packet to foward it to the correct Computer. The hub just sends it to every computer, and only the computer that the packet is meant for gets it.

If you "DOS" a switch, or switch has more information than it can handle, it doesn't act like a hub, it just get slow or crashes.

Actually what he's saying is correct. If you flood a switch with bogus arps it will eventually start flooding out all ports because it's unsure of what to do with the information. It's a well known and documented technique... One that ettercap uses to sniff switched networks..

anban: You may want to check out http://www.watchguard.com/infocenter...ial/135324.asp. While it isn't very technical it gives you a good overview of arp poisoning... more specifically check out this section

MAC Flooding is an ARP Cache Poisoning technique aimed at network switches. (If you need a reminder about the difference between a hub and a switch, see this sidebar.) When certain switches are overloaded they often drop into a "hub" mode. In "hub" mode, the switch is too busy to enforce its port security features and just broadcasts all network traffic to every computer in your network. By flooding a switch's ARP table with a ton of spoofed ARP replies, a hacker can overload many vendor's switches and then packet sniff your network while the switch is in "hub" mode.

There's tons of information on this topic on here and on google.

Peace,
HT

[anban]

Thank you HTRegz, cheyenne1212.
1. I need some more details on managed switches and their layer of operation.
2. On MAC flooding, if you can suggest reading metarials and prevention tech., it will help me a lot.

Once again my thanks.

[HTRegz]

Hey Hey,

You can have a managed switch operate at any layer that a switch will operate... most likely layer 2... Do a google search on managed switches.. you'll get an abundance of information since your question is rather vague that will allow you to narrow down specifically what you want. Unmanaged = Cheap switches (SMC, Linksys, Dlink)... Managed = Expensive (usually)... Cisco, BayNetworks (Nortel)... etc.


As far as your second question... Check out the search feature here.... and also google..

http://www.l0t3k.org/security/docs/arp/ <-- while the information is dated it's not like there's much change.. this will give you a fair amount of details on the subject.

Peace,
HT

[anban]

Thanks.
Just I visited Watchguard.com, I could find what you said.