Just curious why most packet sniffers are limited to their segment? is it the nature of a gateway to block the attempt outside a subnet?
cheers
Asked
Active
Viewed 368 times
3 Answers
4
If I understand what your asking correctly. Then the limitations are not imposed by the sniffer itself, but are limited by what it can see physically going past on the wire.
What you'll be able to sniff is mainly limited by the placement of your sniffer and the type of network you are on. For example on a network using a Hub you'll be able to see all the traffic being sent to every machine connected to that hub, but on a switched network most likely you'll only be able to see the traffic that is destined for you.
Mark Davidson
- 9,367
- 6
- 43
- 61
-
Yeah, I believe what I'm asking is directed at the limits imposed by a gateway/router rather than the sniffer app. What limits such apps from 'seeing' past the gateway router?? – piagetblix Mar 04 '11 at 16:27
-
Specifically what apps are you talking about? Are you talking about running something like wireshark on your machine and listing on the local interface? – Mark Davidson Mar 04 '11 at 16:28
-
not focusing on any specific app, the second part of your answer Mark, is the area that I want to understand more. The 'why' of how switched traffic limits what can be 'seen' is where i'm curious. Thanks – piagetblix Mar 04 '11 at 17:03
2
if segment = subnet, then they are limited because the router doesnt broadcast all the traffic to everyone (hubs however do* in some cases) and on a switched network you will only see the traffic for your pc and not all the traffic on the network... read up on Router vs Switch vs Hub vs Bridge and youll understand...
Sigtran
- 244
- 1
- 6
-
agh, there we go, its the nature of the broadcast that limits what traffic is available... – piagetblix Mar 04 '11 at 16:29
-
its not as much of a nature, as the structure of these things - e.g. on a switch everyone has a physical dedicated connection to the switch (costs a lot, but secure* arp injections / other attacks are still possible, depending on their structure / software ) and on the hub everyone is connected via the same physical line (cheap and insecure), making the traffic available to everyone. – Sigtran Mar 04 '11 at 16:36
-
so are your refering to a 'multi-layer' switch vs the 'classic' layer 2 type? – piagetblix Mar 04 '11 at 16:39
-
-
everything besides the hub is usually multilayer. and now its hard to find something that is just a hub, as the hardware is so cheap. – Sigtran Mar 04 '11 at 16:48
-
weren't some switches considered layer 2? thats how i was original intronduced to it...some time ago btw thanks for the dialogue! – piagetblix Mar 04 '11 at 16:59
-
@Sigtran - why go for a hub? No need any more. You can tell a switch/router to broadcast if you want to:-) – Rory Alsop Mar 05 '11 at 00:29
-
@Rory Alsop the reason to have a hub is that it used to be much cheaper then a switch ;|) thats all. cost was a problem then. @piagetblix as far as i know a switch now must be aware of ip multicasting (layer 3). there were "switches" that technically used some sort of data plane & were only operating @ layer 2... but that was a long time ago. – Sigtran Mar 07 '11 at 09:16
-
@Sigtran - sure, there used to be a significant price difference, but not any more. Switches are cheap as chips nowadays:-) – Rory Alsop Mar 07 '11 at 14:13
-
@Sigtran: Switches don't have to be layer 3 aware. Too much text to paste here but wikipedia explains that unaware switches sent the multicast traffic out all switch ports to be filtered by endpoints: http://en.wikipedia.org/wiki/IP_multicast – Bradley Kreider Mar 08 '11 at 19:29
-
@rox0r yeah, I know that there layer 2 switches, as mentioned above, but they use forward/data planes (http://en.wikipedia.org/wiki/Forwarding_plane). Switches DO NOT send traffic to all ports (thats why there is a term "switched network") and basically that their main purpose - is to NOT show all the traffic to everyone. If they were showing traffic to everyone, then they would be no different to hubs & there would be no reason to have 100's of personal network cables instead of just having one cable (cost is still in effect here). – Sigtran Mar 09 '11 at 09:31
-
@Sigtran: Of course they don't sent traffic out all ports unless it is broadcast traffic or multicast traffic and they don't support multicast. But switches can operate purely at layer 2. they don't need to know IP addresses to only forward layer 2 traffic out one port. 802.1D-2004 section 7.7 talks about the forwarding process with the main work being done by the topology enforcement and the filtering process. – Bradley Kreider Mar 10 '11 at 06:35
-
@rox0r I think we are talking about the same process of filtering messages :P I thought that "...switches sent the multicast traffic out all switch ports to be filtered by endpoints" was meant that the switches send traffic to all the connected devices and the traffic was filtered @ these devices. simple misunderstanding :( – Sigtran Mar 10 '11 at 09:53
2
Just curious why most packet sniffers are limited to their segment?
What are you defining as "their" segment? Packet sniffing only works by listening to packets that are medium that the sniffer can listen to. If the medium has lots of people talking on it, it can hear them. But if people are miles away talking on a different medium, it is physically impossible for your sniffer to pick up those packets unless it is physically connected to that medium.
The only reason this works at all is that Ethernet is generally a broadcast medium (like a bus). Modern networks change this from a bus to a switched network which make it a star network.
Bradley Kreider
- 6,152
- 2
- 23
- 36