Packet Sniffing?

Depends on the type of switch. I should have remembered to clarify this. Switches we see today are at layer 2 and layer 3. I've spent far too much time at the layer 3 and have doubts as to how many layer 2 switches truly exist. I think most manufacturers have gone to layer 3 with only the real cheapo switches being staying at layer 2.

My apologies for not clarifying this earlier.


<offtopic>

Smartin77 asked:

Quote:

---

Is this a graduate level class? What other classes do you teach?

I'm almost done with my B.S. in Information Systems and becuase I have no INFOSEC experience, I'm thinking 'bout getting a masters in INFOSEC. What are your thoughts? Maybe better just for the certs?

---

I teach courses that are Introductary into security and advanced level courses. Certs can help (Security+ might be a good starting gate cert) but nothing beats experience. I can tell you right now, even if you get your masters you'll still need experience (although the Masters might appeal to some).

I tend to say that security admins are like doctors. When doctors go to medical school they get their degree in medicine but then spend 10 years doing residence. It's the same concept with security admin. You get your degree in Comp Sec (or, hopefully by next year we'll be starting a bac in computer and network security) and then spend 10 years honing your skills. You have to do the grunt work first before you can be the star.

<ontopic>

Guys,
that's quite an interresting discussion overhere, let me just clarifying some ethernet basics from what I know.
(for information I am a System Engineer and my work is to design networking products including multilayer switch)

1)

Quote:

---

phishphreek80 wrote:
If you are attached to a switch, you can only sniff traffic going to and from your single host.

---

I wrote a tut in AO few month ago ( http://www.antionline.com/showthread...hreadid=237836 ), to resume there is some techniques to overflow switch buffer in order to force them to behave like a hub.

For the history, there is 2 types of Layer 2 switch: 802.1d & 802.1q. All ethernet recent & decent switches implement both standard. The switch will create several virtual brigde group that restrict the broadcast domain to a sub-set of ports.
- CAM overfow attacks results in the ability to sniff the bridge group you belong to.
- VLAN hopping attacks results in a blind attack to send packet to a bridge group you don't belong to.
....

2)

Quote:

---

Fabs wrote:
To clarify, A switch learns (very quickly) what ip's are associated to what MAC addresses on what ports of the hub, then as packets come in it analyses their destination and forwards them onto the correct ports.

---

I am surry to say that is not true. IEEE standard does not specify such capability as Layer 3 switching! But some chipset implement IP address into their CAM entries. I mean that a router will learn dynamicaly the layer 3 routes and may program the switch CAM table to shortcut the routing process. That's what is called L3P switching.

New chipset generation such as PRESTERA from MARVEL-GALLILEO allows to do either L3P and L4P switching or enhance QoS finctions and so on, but still the intelligence that takes decisions to route, classify,.. is not within the switch, it just provide registry entries to be progammed by external processes.
For instance CISCO Catalyst implement in a single box such functions.

3)

Quote:

---

HTRegz wrote:
3 types of Devices..
Repeaters, Bridges, and Routers

---

Repeaters are part from the past I do not think you will find widely use products doing only the repeater function any more.
For me there is 3 type of devices for layer 2 switching:
Hubs: simple bus
802.1d switches: 1 broadcast domain with self MAC learning mechanisms
802.1q switches: n broadcast domains that can be porpagated to external switches to compose a VLAN (virtual LAN)

1 type of layer 3 processing : routers.

Layer 7 processing: aplicative proxies ...

4)

Quote:

---

MsMittens wrote:
I've spent far too much time at the layer 3 and have doubts as to how many layer 2 switches truly exist. I think most manufacturers have gone to layer 3 with only the real cheapo switches being staying at layer 2.

---

I think you didn't spend enough time to figure it out, madam the teacher! just for example Newbridge, Xylan, 3COM, Alcatel ...
A multilayer switch is harder to administrate that a standard switch. In many case a corporation will use simply hub or standard switch to connect users and will use enhanced multilayer switch for centralized bridge. Multilayer switches aims to spare router CPU, when you locally flows data, routed data may not be huge enough to justify complex switches!

Thanks to the guy that read this from the beginning.