[PLUG] help with switches

drew wymore drew.wymore at gmail.com
Mon Feb 5 22:28:09 UTC 2007


On 2/5/07, jason justman <jason at jasonjustman.com> wrote:
>
> you can usually do a mac flood and force the switch to dump the port
> into promiscuous mode - most switches have a 4k/8k mac address table.
>
> http://www.rootsecure.net/content/downloads/pdf/arp_spoofing_intro.pdf
>
> you're better off getting a cheap switch that can do l3 management and
> provide you with a monitor port/port mirror.
> j
>
> Dan Young wrote:
> > On 2/5/07, Carla Schroder <carla at bratgrrl.com> wrote:
> >> I'm having a hard time finding an answer to what seems to be a simple
> >> question- what Ethernet switches include monitor ports for sniffing all
> >> network traffic? I assume that unmanaged switches don't have this,
> >> though it
> >> would be nice to be wrong because they're inexpensive. I've been
> >> looking at
> >> all kinds of managed and 'smart' switches, and I'm not seeing
> >> anything in
> >> their specs that sounds like what I'm looking for. Is there some magic
> >> buzzword I should be looking for? got any specific models to recommend?
> >
> > It's sometimes called port mirroring. If the switch isn't "managed",
> > how would you enable/disable the port mirroring/monitoring function?
> >


Here's a L3 cisco switch

http://search.ebay.com/search/search.dll?from=R40&satitle=2948G

Depending on the architecture, if you're wanting to monitor all inbound
traffic to the switch from the outside and its one link you could run it
through a linux box with 2 NIC's then going into the uplink on the switch
with clients plugged into the rest of the ports.

Drew-



More information about the PLUG mailing list