Dear Experts,
I am in a switched network behind a proxy,running wireshark in promiscuous mode and NIC as well,on centos7. My query is that I am not supposed to capture packets through wireshark in a "switched network", but still I can capture them. How is it happening ?
Any opinion is much appreciated.

best regards,
nm

First option
1) Take a pic with 2 network cards
2) make a bridge with 2 cards
3) connect the cables in the pc as bridge
4) use a sniper as ntop

Second option

1) in the configuration switch make a port mirroring
2) connect the cable in the switch
3) start snifer as ntop

You will be able to capture the following traffic in a switched network:

1. Frames being generated by the host doing the capturing
2. Frames sent to the NIC of the PC doing the capturing
3. Broadcast frames
4. Frames sent to a destination MAC address not (yet) in the CAM table of the switch in question
5. Frames sent to a destination MAC address that was purged from the switch's CAM table due to lack of memory capacity in the switch, or the switch was power cycled or reset

The most common way for a malicious actor to bypass switch logic when capturing frames, is to flood the network with tiny frames with random source MAC addresses. Since a switch will obviously always have limited RAM in which to store the CAM table, flooding will trigger scenario 5 above.

That is what confuses me that I am connected to a switched network, and I can capture TCP packets meant for some other host in the network, like for eg: any host in my n/w sends a TCP SYN packet to a website on the internet I am able to capture that packet. I can also capture TCP SYN,ACK,RST packets, even sometimes I captured HTTP requests from some other host in the n/w to proxy. How is this happening?

regards,
nm

A mirror on switch to that port. (other names depending on maker of switch)

Switch bad or not really a switch.

You will get some stuff for all but they tend to be who has this or other non-direct issues.

A real switch (if I assume what you have) should be different than a common hub.

Dear all & Jefro,
Its a switch of a well renowned company, no port is mirrored. I can capture all traffic in the n/w. And finally I found a reason behind this, which I am sharing with you all, I request you all to confirm it.

A switch learns who is behind a port by looking at the MAC addresses of packets received on that port. When the switch is powered on, it knows nothing. Once device A sends a packet from port 1 to device B, the switch learns that device A is behind port 1, and sends the packet to all ports. Once device B replies to A from port 2, the switch only sends the packet on port 1.

This MAC to port relationship is stored in a table in the switch. Of course, many devices can be behind a single port (if a switch is plugged in to the port as an example), so there may be many MAC addresses associated with a single port (this is what I think is happening in my case).

This algorithm breaks when the table is not large enough to store all the relationships (not enough memory in the switch). When this happens the switch loses information and begins to send packets to all ports. This can easily be done by forging lot of packets with different MAC from a single port. It can also be done by forging a packet with the MAC of the device you want to spy, and the switch will begin sending you the traffic for that device.

There is a solution but I can't implement it---Managed switches can be configured to accept a single MAC from a port (or a fixed number). If more MACs are found on that port, the switch can shutdown the port to protect the network, or send a log message to the admin.

regards,
nm

Are you saying that the arp cache or table isn't large enough to handle all the downstream devices? Is there a thousand hubs on each switch port?

yes that is what I am saying that arp cache is not large enough to store all the mac address. This is because in my network it like "edge switch 32 ports serving 24 clients and another 8 switches, more switches connected to that switch, so basically its like a switch hierarchy because of which the edge switch has to learn more than 100 MAC address on one single port. This is the point where the algorithm breaks and switch behaves as "hub". what do you think?

regards,
nm

Guess stuff happens. A quality or even most soho switches shouldn't fail like that. Never heard of a HP or Cisco enterprise level switch doing that but I haven't seen it all yet.

As you say during the initial population phase it could act like a hub.

I think you should talk to your networking team. Find out if they have things set up correctly, or if they're lazy, and have shoved in something that isn't working correctly. Are you plugged in to a span port, by any chance??

And have you ever heard of ARP Poisoning?
http://www.cisco.com/c/en/us/product...11_603839.html
http://www.arppoisoning.com/how-does...oisoning-work/
http://www.admin-magazine.com/Articl...acket-Sniffing

If you run a program that does this, you will be able to see such things....again, if your network administrators haven't set things up to deter events like this from happening.

It's possible, but it would require a huge number of hosts or someone inside the network deliberately overloading the switches. Even the cheapest workgroup switches I've seen had CAM tables that could hold over 8000 entries (8192 to be exact).

Is your organization using VLANs? If so, is it possible that you're connected to a switchport configured as a trunk? Some capture programs (like tcpdump) doesn't show 802.1q headers unless specifically told to do so, so sniffing traffic on a trunk port can make the entire network look like one huge collision domain.

Jefro,
As I observed the switch has been acting like that only.

TBOne,
I am pretty sure that admins have configured everything perfectly. I know about arp poisoning, but I have not checked for it. How do I confirm that,"if there is an arp poisoning in process".

Ser Olmy,
Yes there are VLANs and there is a possibility of me connected to a trunk port.
I didn't clearly understood this point!!

One more point that I would like to add is when I was connected to the edge switch or main switch directly I was able to capture around 10 lac packets in few hours, but when I changed my connection to another switch (just in case to test the switch), I can't even capture 1k packets, I hope this helps!

regards,
nm

Acting like WHAT only??
Why do you assume they have done it 'perfectly'??? Things are not LOOKING like they did them 'perfectly', since you're seeing what you're seeing. The results you're getting are great indicators that ARP poisoning is taking place...examine the ARP tables to confirm things.
...which would give you the results you're seeing, and point back to the network administrators not being too good, because you should NEVER hand out trunk/span ports to users for no good reason. Those things are typically reserved for maintenance/monitoring.
Not really, since without knowing how those things are configured in your environment, that might be totally normal or very bad.

-- Acting like a hub, meaning it is broadcasting every packet it receives.

-- About the perfection boss says he did it perfectly, so its like, Boss is always right, and I am helpless for any misconfiguration. Its like I have to prove my point and for that I need some concrete evidences some sound logic to make them understand.

Now, we have multiple VLANs and these VLANs are connected to each other (inter VLAN connectivity) via TRUNK port. And I am connected to a trunk port (I read that trunk ports carry all the traffic from & to VLANs), how am I able to sniff that traffic when it is not destined for me. Also if you are correct that sniffing is possible in trunk port, is there any alternative?

best,
nm

Right...which leads back to "It's not configured correctly, or you're attached to a span/trunk port"
No, you DON'T...your boss isn't anymore perfect than anyone else. If they THINK they are, then hand this back to them, and tell them to prove it. Since you're saying that you aren't the network administrator, and your boss IS, then describe what you're seeing, and tell them to fix it.

You have 'concrete evidence'...you've posted it here. You SHOULD NOT be able to see what you're seeing, unless YOU are intentionally poisoning the ARP table.
BECAUSE YOU ARE CONNECTED TO A TRUNK PORT, as you've been told SEVERAL TIMES NOW. Trunk/span ports *CAN* see traffic on all networks...that's their function.

1 members found this post helpful.