Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Port mirroring detection

from [Michael Richardson] Network Security [Permanent Link]
Subject: Re: Port mirroring detection
Date: Tue, 14 Dec 2004 21:45:00 -0500 
-----BEGIN PGP SIGNED MESSAGE-----



"John" == John Madden <chiwawa999@yahoo.com> writes:

    John> More of a suspicion...

    John> I've asked the question to our administrators but
    John> let's just say I want to check for myself.

  How many ports can you control?

  One a system with a suspected span port, turn on promisc.
  Send a packet with the wrong MAC for the system, but layer-3 unicast
to that system. See if you get a response.

  If the system with the span port is trying to be stealthy (which
ultimately, can mean that the Tx pair is cut...) they you may be out of
luck.

  *SOME* switches will flow control the traffic if the mirror port is
going to overflow. So, if you have 4 additional ports, and you can set
up two full bandwidth streams between them, *AND* the switch does the
flow control you, then you may not see full bandwidth.
  (More likely in GigE)

- -- 
]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr@xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQb+lK4qHRg3pndX9AQG4WAQAs1SK1xIUk+yOMAnlL0zjuPSC+zLSXTIM
vpffSE6hcVFdqqHphiIQy+dd/Fu8Mv7JUFiUfHbZV4PNCds971jaXDAHJ0iy4pP6
zCQgXBd6TIuRU2BYq2DzuGBsmRrnLokNQNOgc/H13EQEBVYalwnHoGe8UhlDFk7J
74UOOQ1KoVM=
=Ep5x
-----END PGP SIGNATURE-----
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Password Audit tools, Altheide, Cory B. (IARC)
Next by Date:  Re: Volunteer pen testing, L. Walker
Previous by Thread:  RE: Port mirroring detection, John Madden
Next by Thread:  RE: Port mirroring detection, Milind Nanal
Indexes:  [Date] [Thread] [Top] [All Lists]