Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Dear Experts,
I am in a switched network behind a proxy,running wireshark in promiscuous mode and NIC as well,on centos7. My query is that I am not supposed to capture packets through wireshark in a "switched network", but still I can capture them. How is it happening ?
Any opinion is much appreciated.
My query is that I am not supposed to capture packets through wireshark in a "switched network", but still I can capture them. How is it happening ?
You will be able to capture the following traffic in a switched network:
Frames being generated by the host doing the capturing
Frames sent to the NIC of the PC doing the capturing
Broadcast frames
Frames sent to a destination MAC address not (yet) in the CAM table of the switch in question
Frames sent to a destination MAC address that was purged from the switch's CAM table due to lack of memory capacity in the switch, or the switch was power cycled or reset
The most common way for a malicious actor to bypass switch logic when capturing frames, is to flood the network with tiny frames with random source MAC addresses. Since a switch will obviously always have limited RAM in which to store the CAM table, flooding will trigger scenario 5 above.
You will be able to capture the following traffic in a switched network:
Frames being generated by the host doing the capturing
Frames sent to the NIC of the PC doing the capturing
Broadcast frames
Frames sent to a destination MAC address not (yet) in the CAM table of the switch in question
Frames sent to a destination MAC address that was purged from the switch's CAM table due to lack of memory capacity in the switch, or the switch was power cycled or reset
The most common way for a malicious actor to bypass switch logic when capturing frames, is to flood the network with tiny frames with random source MAC addresses. Since a switch will obviously always have limited RAM in which to store the CAM table, flooding will trigger scenario 5 above.
That is what confuses me that I am connected to a switched network, and I can capture TCP packets meant for some other host in the network, like for eg: any host in my n/w sends a TCP SYN packet to a website on the internet I am able to capture that packet. I can also capture TCP SYN,ACK,RST packets, even sometimes I captured HTTP requests from some other host in the n/w to proxy. How is this happening?
Dear all & Jefro,
Its a switch of a well renowned company, no port is mirrored. I can capture all traffic in the n/w. And finally I found a reason behind this, which I am sharing with you all, I request you all to confirm it.
A switch learns who is behind a port by looking at the MAC addresses of packets received on that port. When the switch is powered on, it knows nothing. Once device A sends a packet from port 1 to device B, the switch learns that device A is behind port 1, and sends the packet to all ports. Once device B replies to A from port 2, the switch only sends the packet on port 1.
This MAC to port relationship is stored in a table in the switch. Of course, many devices can be behind a single port (if a switch is plugged in to the port as an example), so there may be many MAC addresses associated with a single port (this is what I think is happening in my case).
This algorithm breaks when the table is not large enough to store all the relationships (not enough memory in the switch). When this happens the switch loses information and begins to send packets to all ports. This can easily be done by forging lot of packets with different MAC from a single port. It can also be done by forging a packet with the MAC of the device you want to spy, and the switch will begin sending you the traffic for that device.
There is a solution but I can't implement it---Managed switches can be configured to accept a single MAC from a port (or a fixed number). If more MACs are found on that port, the switch can shutdown the port to protect the network, or send a log message to the admin.
yes that is what I am saying that arp cache is not large enough to store all the mac address. This is because in my network it like "edge switch 32 ports serving 24 clients and another 8 switches, more switches connected to that switch, so basically its like a switch hierarchy because of which the edge switch has to learn more than 100 MAC address on one single port. This is the point where the algorithm breaks and switch behaves as "hub". what do you think?
Guess stuff happens. A quality or even most soho switches shouldn't fail like that. Never heard of a HP or Cisco enterprise level switch doing that but I haven't seen it all yet.
As you say during the initial population phase it could act like a hub.
yes that is what I am saying that arp cache is not large enough to store all the mac address. This is because in my network it like "edge switch 32 ports serving 24 clients and another 8 switches, more switches connected to that switch, so basically its like a switch hierarchy because of which the edge switch has to learn more than 100 MAC address on one single port. This is the point where the algorithm breaks and switch behaves as "hub". what do you think?
I think you should talk to your networking team. Find out if they have things set up correctly, or if they're lazy, and have shoved in something that isn't working correctly. Are you plugged in to a span port, by any chance??
If you run a program that does this, you will be able to see such things....again, if your network administrators haven't set things up to deter events like this from happening.
This is the point where the algorithm breaks and switch behaves as "hub". what do you think?
It's possible, but it would require a huge number of hosts or someone inside the network deliberately overloading the switches. Even the cheapest workgroup switches I've seen had CAM tables that could hold over 8000 entries (8192 to be exact).
Is your organization using VLANs? If so, is it possible that you're connected to a switchport configured as a trunk? Some capture programs (like tcpdump) doesn't show 802.1q headers unless specifically told to do so, so sniffing traffic on a trunk port can make the entire network look like one huge collision domain.
Jefro,
As I observed the switch has been acting like that only.
TBOne,
I am pretty sure that admins have configured everything perfectly. I know about arp poisoning, but I have not checked for it. How do I confirm that,"if there is an arp poisoning in process".
Ser Olmy,
Yes there are VLANs and there is a possibility of me connected to a trunk port.
Quote:
Some capture programs (like tcpdump) doesn't show 802.1q headers unless specifically told to do so, so sniffing traffic on a trunk port can make the entire network look like one huge collision domain.
I didn't clearly understood this point!!
One more point that I would like to add is when I was connected to the edge switch or main switch directly I was able to capture around 10 lac packets in few hours, but when I changed my connection to another switch (just in case to test the switch), I can't even capture 1k packets, I hope this helps!
As I observed the switch has been acting like that only.
Acting like WHAT only??
Quote:
I am pretty sure that admins have configured everything perfectly. I know about arp poisoning, but I have not checked for it. How do I confirm that,"if there is an arp poisoning in process".
Why do you assume they have done it 'perfectly'??? Things are not LOOKING like they did them 'perfectly', since you're seeing what you're seeing. The results you're getting are great indicators that ARP poisoning is taking place...examine the ARP tables to confirm things.
Quote:
Yes there are VLANs and there is a possibility of me connected to a trunk port.
...which would give you the results you're seeing, and point back to the network administrators not being too good, because you should NEVER hand out trunk/span ports to users for no good reason. Those things are typically reserved for maintenance/monitoring.
Quote:
One more point that I would like to add is when I was connected to the edge switch or main switch directly I was able to capture around 10 lac packets in few hours, but when I changed my connection to another switch (just in case to test the switch), I can't even capture 1k packets, I hope this helps!
Not really, since without knowing how those things are configured in your environment, that might be totally normal or very bad.
-- Acting like a hub, meaning it is broadcasting every packet it receives.
-- About the perfection boss says he did it perfectly, so its like, Boss is always right, and I am helpless for any misconfiguration. Its like I have to prove my point and for that I need some concrete evidences some sound logic to make them understand.
Now, we have multiple VLANs and these VLANs are connected to each other (inter VLAN connectivity) via TRUNK port. And I am connected to a trunk port (I read that trunk ports carry all the traffic from & to VLANs), how am I able to sniff that traffic when it is not destined for me. Also if you are correct that sniffing is possible in trunk port, is there any alternative?
-- Acting like a hub, meaning it is broadcasting every packet it receives.
Right...which leads back to "It's not configured correctly, or you're attached to a span/trunk port"
Quote:
-- About the perfection boss says he did it perfectly, so its like, Boss is always right, and I am helpless for any misconfiguration. Its like I have to prove my point and for that I need some concrete evidences some sound logic to make them understand.
No, you DON'T...your boss isn't anymore perfect than anyone else. If they THINK they are, then hand this back to them, and tell them to prove it. Since you're saying that you aren't the network administrator, and your boss IS, then describe what you're seeing, and tell them to fix it.
You have 'concrete evidence'...you've posted it here. You SHOULD NOT be able to see what you're seeing, unless YOU are intentionally poisoning the ARP table.
Quote:
Now, we have multiple VLANs and these VLANs are connected to each other (inter VLAN connectivity) via TRUNK port. And I am connected to a trunk port (I read that trunk ports carry all the traffic from & to VLANs), how am I able to sniff that traffic when it is not destined for me. Also if you are correct that sniffing is possible in trunk port, is there any alternative?
BECAUSE YOU ARE CONNECTED TO A TRUNK PORT, as you've been told SEVERAL TIMES NOW. Trunk/span ports *CAN* see traffic on all networks...that's their function.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.