22

We have several of standard non-managed 3com switches in a network. I thought switches were supposed to only send packages between peers of a connection.

However it appears network sniffing software running on a computer attached to one any one of the switches is able to detect traffic (ie youtube video streaming, web pages) of other host computers attached to other switches on the network.

Is this even possible or is the network thoroughly broken?

Dan
  • 193
  • 2
  • 5
Can Kavaklıoğlu
  • 968
  • 1
  • 8
  • 11
  • 1
    Maybe, you need to look at this post: http://serverfault.com/questions/214881/ethernet-network-topology/ – Khaled Jan 01 '12 at 08:34
  • My experience suggests a situation more like the case in David's answer. Sniffing computer appears to be receiving not some but all packets but all other computers are transmitting. – Can Kavaklıoğlu Jan 01 '12 at 10:12
  • Are you certain that you aren't just seeing broadcast traffic on the sniffing software? Just because you see something, doesn't mean you are seeing everything. – Jed Daniels Jan 02 '12 at 18:26

3 Answers3

24

To complete David's answer, a switch learns who is behind a port by looking at the MAC addresses of packets received on that port. When the switch is powered on, it knows nothing. Once device A sends a packet from port 1 to device B, the switch learns that device A is behind port 1, and sends the packet to all ports. Once device B replies to A from port 2, the switch only sends the packet on port 1.

This MAC to port relationship is stored in a table in the switch. Of course, many devices can be behind a single port (if a switch is plugged in to the port as an example), so there may be many MAC addresses associated with a single port.

This algorithm breaks when the table is not large enough to store all the relationships (not enough memory in the switch). In this case, the switch loses information and begins to send packets to all ports. This can easily be done (now you know how to hack your network) by forging lot of packets with different MAC from a single port. It can also be done by forging a packet with the MAC of the device you want to spy, and the switch will begin sending you the traffic for that device.

Managed switches can be configured to accept a single MAC from a port (or a fixed number). If more MACs are found on that port, the switch can shutdown the port to protect the network, or send a log message to the admin.

EDIT:

About the youtube traffic, the algorithm described above only works on unicast traffic. Ethernet broadcast (ARP as an example), and IP multicast (used sometimes for streaming) are handled differently. I do not know if youtube uses multicast, but it might be a case where you can sniff traffic not belonging to you.

About web page traffic, this is strange, as the TCP handshake should have set the MAC to port table correctly. Either the network topology cascades a lot of very cheap switches with small tables that are always full, or somebody is messing with the network.

Jed Daniels
  • 7,172
  • 2
  • 33
  • 41
jfg956
  • 1,116
  • 1
  • 8
  • 12
  • I will try to learn models of switches and report back. Could the culprit be a cheap switch located at the top of the network topology? I guess it becomes even more complicated in that case. What would the policy of a switch be if a packet which does not belong to any of its ports arrives from the cheap switch located above itself on the topology? – Can Kavaklıoğlu Jan 01 '12 at 12:26
  • If a packet arrives at a switch, and the destination MAC address of this packet is not known, the packet is send to all ports (even if the switch is managed or non-managed, and the fact that the packet comes from a switch or a device is not important). Additionally, the table is updated with the source MAC address of the packet, which will lead to many possibilities: no problem with the update, the table is full and the addition delete a valid entry, or the update removes a valid MAC to port relationship. The last 2 cases lead to problems on the network. – jfg956 Jan 01 '12 at 12:35
6

This is a common misunderstanding. Unless it is statically configured, a switch must send every packet over every port that it cannot prove it does not need to send that packet out on.

This could mean that a packet only gets sent to the port that contains the destination device. But this cannot always be the case. For example, consider the very first packet the switch receives. How could it know which port to send it out on?

Suppressing packets from being sent out on the 'wrong' port is an optimization a switch uses when it can. It's not a security feature. Managed switches do often provide actual port security.

David Schwartz
  • 31,215
  • 2
  • 53
  • 82
0

It's possible that ARP Cache Poisoning is in effect. This is a technique used, often maliciously, to sniff a switched network. This is done by convincing every machine on the network that every other machine has your MAC address (using the ARP protocol). This will cause the switch to forward all packets to your machine - you'll want to forward them along after analysis. This is commonly used in man-in-the-middle attacks, and is available in various sniffing tools such as Cain & Abel or ettercap.

lutzky
  • 101