sniffing on a switched LAN

switch packet-sniffer

More expensive switches will offer port mirroring, where they will mirror the traffic of one or more ports to a dedicated monitor port for (among others) problems like yours.

But I am not sure at what price class features like that are offered.


A quick-and-dirty solution for sniffing a single device on is to add a second NIC, connect the device to be sniffed to one NIC (using a crossover cable if necessary) and the LAN to another, then bridge the connections and sniff on the bridge interface. Since you're not wedging the machine into a heavy traffic flow (presumably) you won't really slow anything down.

You can do this in Windows w/ the built-in bridging functionality and something like Wireshark. Linux will let you do the same thing. Other OS's mileage may vary-- I haven't tried it anywhere but on Windows and Linux.


There are two ways to sniff traffic in a switched network where you don't have access to the switch. The first is ARP spoofing, where you attempt to respond to ARP requests faster than the target device. This is obviously dependent on your ability to do that, so might be a little bit hit and miss. The second is to overflow the switch's forwarding tables. Every switch has a table of MAC addresses and which ports it's seen frames come in from, so the switch knows where to send future frames to. If the switch doesn't have the destination MAC address in the forwarding table, it sends it to every port. If you can fill up the forwarding table, the switch has no option to send all frames to every port, and you've effectively turned your switch into a hub. Unfortunately, more expensive switches have bigger forwarding tables, and might have per-port forwarding tables, which won't be vulnerable to this attack.

You can insert a hub between you and your target if you can find one. An alternative would be to use a Linux device with two NICs and bridging configured between them.

If you have a managed switch under your control, as other people have mentioned, you can use port mirroring to get a copy of everything on the target port(s).


  • Use ettercap and live happy.

    See wikipedia for a list of ARP spoofing capable tools

  • MAC Flooding attack can be tried too, depending on the switch you are attacking. If the switch is exposed to this kind of attack it will act as an HUB once overflowed.

  • You can of course use an HW approach (much more less flexible IMHO), a very inexpensive switch such as Dell 27xx and 28xx series offer port mirroring feature

Related

How do companies know they've been hacked?
How do I list currently running shell scripts?
trying to route between two openvpn clients
Is it good or not to include all frequently used and important addresses in /etc/hosts?
Why add an IPv6 address as /64?
What are the drawbacks of making all of my windows servers domain controllers?
Can't open IIS manager
Preventing an Apache 2 Server from Logging Sensitive Data
Walk-In Cooler Server Room?
How do I configure sshd on Debian to use Public Key Authentication?
Is WINs Still supported by Microsoft?
Would using SAS disks instead of SATA disks make sense over NFS for a VMWare datastore?