Linux Today: Linux News On Internet Time.

Linux Journal: SwitchSniff

Mar 05, 2002, 23:59 (2 Talkback[s])
(Other stories by Sumit Dhar)
"While I was at university, I once discussed the topic of sniffers with an experienced network administrator. He casually mentioned that he was not bothered by sniffers, as all his machines were connected to switches. This was someone who was paranoid about security and read almost all security newsgroups religiously, but he was living in complete ignorance about the threat to his network. Unfortunately, he is not alone as many experienced systems and network administrators feel switches are immune to being sniffed. Switches may be difficult to sniff, but they are certainly not immune.

A computer connected to the LAN has two addresses. One is the MAC (media access control) address that uniquely identifies each node in a network and is stored on the network card itself. Each network card has a unique MAC address. It is the MAC address that gets used by the Ethernet protocol while building `frames' to transfer data to and from a machine. The other address is the IP address, which is used by applications.

The Ethernet header uses the MAC address of the destination machine and not the IP address. It is the job of the network layer to map a particular IP address to the corresponding MAC address, as required by the Data Link Protocol. It does this by initially looking up the MAC address of the destination machine in a table, usually called the ARP cache. If no entry is found for the IP address, the Address Resolution Protocol broadcasts a request packet (ARP request) to all machines on the network. The machine with that address responds to the source machine with its MAC address (ARP reply). This MAC address is added to the source machines ARP cache, and it is then used by the source machine in all its communications with the destination machine."

Complete Story

Related Stories: