1

Question from a CEHv9 exam preparation book:

"When scanning a network via a hardline connection to a wired-switch NIC in promiscuous mode, what would be the extent of network traffic you would expect to see? A. Entire network B. VLAN you are attached to C. All nodes attached to the same port D. None"

I went for B but according to the book it's C and I don't get it. What does that even mean "all nodes attached to the same port".

Explanation to the answer from the book

Because each switchport is its own collision domain, only nodes that reside on the same switchport will be seen during a scan.

Anders
  • 64,406
  • 24
  • 178
  • 215
cyzczy
  • 1,518
  • 5
  • 21
  • 34
  • 2
    What a poorly written question. If you're "scanning a network" you would presumably see "network traffic" associated with your scan test responses from all the hosts on that network. So I could justify answering A. If that's not what they mean by "network traffic" and instead mean actual VLAN network broadcasts then you could answer B. If they wanted C to be the clearly correct choice they should have dropped the whole idea of scanning and just said "monitoring a network" and then changed "network traffic" to "all host traffic". – PwdRsch Mar 11 '17 at 19:36
  • Yes, the book sucks ... certificates too btw – cyzczy Mar 11 '17 at 19:40

1 Answers1

2

Yes it is answer 'C'. Switches forward traffic based on mac address. So if we have port fa0/1 and port fa0/2 and you are attached to fa0/2 with a MAC of BB:BB:BB:BB:BB:BB and fa0/1 has a mac of all A's. Anything destined for a mac of address of all A's will only be forwarded out port fa0/1 and nowhere else because these messages are Unicast meaning destined for only 1 host. You would however receive the broadcast messages.

Each port on a switch is on its own collision domain. Back in the days of the 'hub', multiple nodes shared the same collision domain and in this case you would be able to listen to all traffic passing through that collision domain.

So the reason it is not B is because traffic is destined for 1 port and 1 port only so you would only receive information from the port you are connected to.

There is something called SPAN (Switched Port Analyzer) from Cisco devices in which you can mirror traffic from a vlan or multiple ports and send it to the port you are connected to thus receiving all of the traffic.

Hacktiker
  • 914
  • 7
  • 14
nd510
  • 1,738
  • 1
  • 10
  • 15
  • 1
    Answer 'C' implies that multiple computers ("nodes"?) can be on a single port, is that possible with certain switches or is it just written funky? – Ryan Kelso Mar 15 '17 at 14:49
  • 1
    @RyanKelso they might have some justification for the way they wrote it but in my opinion it is very poorly written. Your can't have multiple devices on 1 port. You can have a another switch attached to that switch port with nodes on that switch but it still doesn't make sense with the way they are describing it. – nd510 Mar 15 '17 at 16:27