LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 01-20-2015, 06:53 AM   #1
NM04
Member
 
Registered: Jan 2011
Distribution: Back Track,Fedora,centos
Posts: 240

Rep: Reputation: 14
sniffing in a switched network


Dear Experts,
I am in a switched network behind a proxy,running wireshark in promiscuous mode and NIC as well,on centos7. My query is that I am not supposed to capture packets through wireshark in a "switched network", but still I can capture them. How is it happening ?
Any opinion is much appreciated.

best regards,
nm
 
Old 01-20-2015, 07:12 AM   #2
luquee
LQ Newbie
 
Registered: Jul 2008
Posts: 11

Rep: Reputation: 0
info switch

First option
1) Take a pic with 2 network cards
2) make a bridge with 2 cards
3) connect the cables in the pc as bridge
4) use a sniper as ntop

Second option

1) in the configuration switch make a port mirroring
2) connect the cable in the switch
3) start snifer as ntop
 
Old 01-20-2015, 07:29 AM   #3
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 3,347

Rep: Reputation: Disabled
Quote:
Originally Posted by NM04 View Post
My query is that I am not supposed to capture packets through wireshark in a "switched network", but still I can capture them. How is it happening ?
You will be able to capture the following traffic in a switched network:
  1. Frames being generated by the host doing the capturing
  2. Frames sent to the NIC of the PC doing the capturing
  3. Broadcast frames
  4. Frames sent to a destination MAC address not (yet) in the CAM table of the switch in question
  5. Frames sent to a destination MAC address that was purged from the switch's CAM table due to lack of memory capacity in the switch, or the switch was power cycled or reset
The most common way for a malicious actor to bypass switch logic when capturing frames, is to flood the network with tiny frames with random source MAC addresses. Since a switch will obviously always have limited RAM in which to store the CAM table, flooding will trigger scenario 5 above.
 
Old 01-20-2015, 11:18 PM   #4
NM04
Member
 
Registered: Jan 2011
Distribution: Back Track,Fedora,centos
Posts: 240

Original Poster
Rep: Reputation: 14
Quote:
Originally Posted by Ser Olmy View Post
You will be able to capture the following traffic in a switched network:
  1. Frames being generated by the host doing the capturing
  2. Frames sent to the NIC of the PC doing the capturing
  3. Broadcast frames
  4. Frames sent to a destination MAC address not (yet) in the CAM table of the switch in question
  5. Frames sent to a destination MAC address that was purged from the switch's CAM table due to lack of memory capacity in the switch, or the switch was power cycled or reset
The most common way for a malicious actor to bypass switch logic when capturing frames, is to flood the network with tiny frames with random source MAC addresses. Since a switch will obviously always have limited RAM in which to store the CAM table, flooding will trigger scenario 5 above.
That is what confuses me that I am connected to a switched network, and I can capture TCP packets meant for some other host in the network, like for eg: any host in my n/w sends a TCP SYN packet to a website on the internet I am able to capture that packet. I can also capture TCP SYN,ACK,RST packets, even sometimes I captured HTTP requests from some other host in the n/w to proxy. How is this happening?

regards,
nm
 
Old 01-21-2015, 04:55 PM   #5
jefro
Moderator
 
Registered: Mar 2008
Posts: 22,020

Rep: Reputation: 3630Reputation: 3630Reputation: 3630Reputation: 3630Reputation: 3630Reputation: 3630Reputation: 3630Reputation: 3630Reputation: 3630Reputation: 3630Reputation: 3630
A mirror on switch to that port. (other names depending on maker of switch)

Switch bad or not really a switch.

You will get some stuff for all but they tend to be who has this or other non-direct issues.

A real switch (if I assume what you have) should be different than a common hub.
 
Old 01-21-2015, 10:44 PM   #6
NM04
Member
 
Registered: Jan 2011
Distribution: Back Track,Fedora,centos
Posts: 240

Original Poster
Rep: Reputation: 14
Dear all & Jefro,
Its a switch of a well renowned company, no port is mirrored. I can capture all traffic in the n/w. And finally I found a reason behind this, which I am sharing with you all, I request you all to confirm it.

A switch learns who is behind a port by looking at the MAC addresses of packets received on that port. When the switch is powered on, it knows nothing. Once device A sends a packet from port 1 to device B, the switch learns that device A is behind port 1, and sends the packet to all ports. Once device B replies to A from port 2, the switch only sends the packet on port 1.

This MAC to port relationship is stored in a table in the switch. Of course, many devices can be behind a single port (if a switch is plugged in to the port as an example), so there may be many MAC addresses associated with a single port (this is what I think is happening in my case).

This algorithm breaks when the table is not large enough to store all the relationships (not enough memory in the switch). When this happens the switch loses information and begins to send packets to all ports. This can easily be done by forging lot of packets with different MAC from a single port. It can also be done by forging a packet with the MAC of the device you want to spy, and the switch will begin sending you the traffic for that device.

There is a solution but I can't implement it---Managed switches can be configured to accept a single MAC from a port (or a fixed number). If more MACs are found on that port, the switch can shutdown the port to protect the network, or send a log message to the admin.

regards,
nm
 
Old 01-22-2015, 09:30 PM   #7
jefro
Moderator
 
Registered: Mar 2008
Posts: 22,020

Rep: Reputation: 3630Reputation: 3630Reputation: 3630Reputation: 3630Reputation: 3630Reputation: 3630Reputation: 3630Reputation: 3630Reputation: 3630Reputation: 3630Reputation: 3630
Are you saying that the arp cache or table isn't large enough to handle all the downstream devices? Is there a thousand hubs on each switch port?
 
Old 01-22-2015, 11:00 PM   #8
NM04
Member
 
Registered: Jan 2011
Distribution: Back Track,Fedora,centos
Posts: 240

Original Poster
Rep: Reputation: 14
yes that is what I am saying that arp cache is not large enough to store all the mac address. This is because in my network it like "edge switch 32 ports serving 24 clients and another 8 switches, more switches connected to that switch, so basically its like a switch hierarchy because of which the edge switch has to learn more than 100 MAC address on one single port. This is the point where the algorithm breaks and switch behaves as "hub". what do you think?

regards,
nm
 
Old 01-23-2015, 03:32 PM   #9
jefro
Moderator
 
Registered: Mar 2008
Posts: 22,020

Rep: Reputation: 3630Reputation: 3630Reputation: 3630Reputation: 3630Reputation: 3630Reputation: 3630Reputation: 3630Reputation: 3630Reputation: 3630Reputation: 3630Reputation: 3630
Guess stuff happens. A quality or even most soho switches shouldn't fail like that. Never heard of a HP or Cisco enterprise level switch doing that but I haven't seen it all yet.

As you say during the initial population phase it could act like a hub.
 
Old 01-23-2015, 03:54 PM   #10
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 26,801

Rep: Reputation: 8002Reputation: 8002Reputation: 8002Reputation: 8002Reputation: 8002Reputation: 8002Reputation: 8002Reputation: 8002Reputation: 8002Reputation: 8002Reputation: 8002
Quote:
Originally Posted by NM04 View Post
yes that is what I am saying that arp cache is not large enough to store all the mac address. This is because in my network it like "edge switch 32 ports serving 24 clients and another 8 switches, more switches connected to that switch, so basically its like a switch hierarchy because of which the edge switch has to learn more than 100 MAC address on one single port. This is the point where the algorithm breaks and switch behaves as "hub". what do you think?
I think you should talk to your networking team. Find out if they have things set up correctly, or if they're lazy, and have shoved in something that isn't working correctly. Are you plugged in to a span port, by any chance??

And have you ever heard of ARP Poisoning?
http://www.cisco.com/c/en/us/product...11_603839.html
http://www.arppoisoning.com/how-does...oisoning-work/
http://www.admin-magazine.com/Articl...acket-Sniffing

If you run a program that does this, you will be able to see such things....again, if your network administrators haven't set things up to deter events like this from happening.
 
Old 01-24-2015, 03:01 PM   #11
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 3,347

Rep: Reputation: Disabled
Quote:
Originally Posted by NM04 View Post
This is the point where the algorithm breaks and switch behaves as "hub". what do you think?
It's possible, but it would require a huge number of hosts or someone inside the network deliberately overloading the switches. Even the cheapest workgroup switches I've seen had CAM tables that could hold over 8000 entries (8192 to be exact).

Is your organization using VLANs? If so, is it possible that you're connected to a switchport configured as a trunk? Some capture programs (like tcpdump) doesn't show 802.1q headers unless specifically told to do so, so sniffing traffic on a trunk port can make the entire network look like one huge collision domain.
 
Old 01-26-2015, 10:57 AM   #12
NM04
Member
 
Registered: Jan 2011
Distribution: Back Track,Fedora,centos
Posts: 240

Original Poster
Rep: Reputation: 14
Jefro,
As I observed the switch has been acting like that only.

TBOne,
I am pretty sure that admins have configured everything perfectly. I know about arp poisoning, but I have not checked for it. How do I confirm that,"if there is an arp poisoning in process".

Ser Olmy,
Yes there are VLANs and there is a possibility of me connected to a trunk port.
Quote:
Some capture programs (like tcpdump) doesn't show 802.1q headers unless specifically told to do so, so sniffing traffic on a trunk port can make the entire network look like one huge collision domain.
I didn't clearly understood this point!!

One more point that I would like to add is when I was connected to the edge switch or main switch directly I was able to capture around 10 lac packets in few hours, but when I changed my connection to another switch (just in case to test the switch), I can't even capture 1k packets, I hope this helps!

regards,
nm

Last edited by NM04; 01-26-2015 at 10:58 AM.
 
Old 01-26-2015, 12:49 PM   #13
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 26,801

Rep: Reputation: 8002Reputation: 8002Reputation: 8002Reputation: 8002Reputation: 8002Reputation: 8002Reputation: 8002Reputation: 8002Reputation: 8002Reputation: 8002Reputation: 8002
Quote:
Originally Posted by NM04 View Post
As I observed the switch has been acting like that only.
Acting like WHAT only??
Quote:
I am pretty sure that admins have configured everything perfectly. I know about arp poisoning, but I have not checked for it. How do I confirm that,"if there is an arp poisoning in process".
Why do you assume they have done it 'perfectly'??? Things are not LOOKING like they did them 'perfectly', since you're seeing what you're seeing. The results you're getting are great indicators that ARP poisoning is taking place...examine the ARP tables to confirm things.
Quote:
Yes there are VLANs and there is a possibility of me connected to a trunk port.
...which would give you the results you're seeing, and point back to the network administrators not being too good, because you should NEVER hand out trunk/span ports to users for no good reason. Those things are typically reserved for maintenance/monitoring.
Quote:
One more point that I would like to add is when I was connected to the edge switch or main switch directly I was able to capture around 10 lac packets in few hours, but when I changed my connection to another switch (just in case to test the switch), I can't even capture 1k packets, I hope this helps!
Not really, since without knowing how those things are configured in your environment, that might be totally normal or very bad.
 
Old 01-27-2015, 05:00 AM   #14
NM04
Member
 
Registered: Jan 2011
Distribution: Back Track,Fedora,centos
Posts: 240

Original Poster
Rep: Reputation: 14
-- Acting like a hub, meaning it is broadcasting every packet it receives.

-- About the perfection boss says he did it perfectly, so its like, Boss is always right, and I am helpless for any misconfiguration. Its like I have to prove my point and for that I need some concrete evidences some sound logic to make them understand.

Now, we have multiple VLANs and these VLANs are connected to each other (inter VLAN connectivity) via TRUNK port. And I am connected to a trunk port (I read that trunk ports carry all the traffic from & to VLANs), how am I able to sniff that traffic when it is not destined for me. Also if you are correct that sniffing is possible in trunk port, is there any alternative?

best,
nm

Last edited by NM04; 01-27-2015 at 05:04 AM.
 
Old 01-27-2015, 08:36 AM   #15
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 26,801

Rep: Reputation: 8002Reputation: 8002Reputation: 8002Reputation: 8002Reputation: 8002Reputation: 8002Reputation: 8002Reputation: 8002Reputation: 8002Reputation: 8002Reputation: 8002
Quote:
Originally Posted by NM04 View Post
-- Acting like a hub, meaning it is broadcasting every packet it receives.
Right...which leads back to "It's not configured correctly, or you're attached to a span/trunk port"
Quote:
-- About the perfection boss says he did it perfectly, so its like, Boss is always right, and I am helpless for any misconfiguration. Its like I have to prove my point and for that I need some concrete evidences some sound logic to make them understand.
No, you DON'T...your boss isn't anymore perfect than anyone else. If they THINK they are, then hand this back to them, and tell them to prove it. Since you're saying that you aren't the network administrator, and your boss IS, then describe what you're seeing, and tell them to fix it.

You have 'concrete evidence'...you've posted it here. You SHOULD NOT be able to see what you're seeing, unless YOU are intentionally poisoning the ARP table.
Quote:
Now, we have multiple VLANs and these VLANs are connected to each other (inter VLAN connectivity) via TRUNK port. And I am connected to a trunk port (I read that trunk ports carry all the traffic from & to VLANs), how am I able to sniff that traffic when it is not destined for me. Also if you are correct that sniffing is possible in trunk port, is there any alternative?
BECAUSE YOU ARE CONNECTED TO A TRUNK PORT, as you've been told SEVERAL TIMES NOW. Trunk/span ports *CAN* see traffic on all networks...that's their function.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Bridged Network Sniffing thebusymind Linux - Networking 1 01-19-2013 08:24 PM
Network Monitoring/Sniffing metallica1973 Linux - Enterprise 7 02-04-2009 07:23 PM
Network Sniffing My Own Email Woodsman Slackware 6 10-07-2008 04:03 PM
distros for network sniffing? jackaninny Linux - Security 2 01-22-2006 10:45 AM
network sniffing / eavesdropping facefullofsnow Linux - Security 1 12-16-2003 04:14 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 03:21 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration