Switch packet leakage

Switch packet leakage

[Mohamed Eldesoky]

I heard that switches are not 100% perfect.
I mean sometimes it leakes packages to different ports, and you can
see packets not destined to you. Much like a hub.
Have you experienced that before ??

-- 
Mohamed Eldesoky
www.eldesoky.net

Re: OT: Switch packet leakage

[Jason Opperisano]

On Sun, 2005-03-27 at 06:23, Mohamed Eldesoky wrote:
> I heard that switches are not 100% perfect.
> I mean sometimes it leakes packages to different ports, and you can
> see packets not destined to you. Much like a hub.
> Have you experienced that before ??

http://ettercap.sourceforge.net/

-j

--
"'Wet Cement' - is there any sweeter sign?  Maybe 'High Voltage.'"
	--The Simpsons

Re: OT: Switch packet leakage

[Cedric Blancher]

Le dimanche 27 mars 2005 à 12:21 -0500, Jason Opperisano a écrit :
> http://ettercap.sourceforge.net/

Imho, ARP cache poisoning attacks are nothing related with potential
switch leakage.

For the OP, I could experience leakage on old switches that turned to
"hub mode" when flooded, but nowadays, serious products don't seem to
have this kind of behaviour. Furthermore, you have plenty of options to
tweak so they can't hit such situation, such as port security stuff.


-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

Re: OT: Switch packet leakage

[Mohamed Eldesoky]

I faced that problem with many switches from cisco, foundry, 3com !!!
The last switch I have tested was catalyst 3650 !!!
It is not a bad switch, I guess !!!


On Sun, 27 Mar 2005 21:24:20 +0200, Cedric Blancher
<blancher@cartel-securite.fr> wrote:
> Le dimanche 27 mars 2005 à 12:21 -0500, Jason Opperisano a écrit :
> > http://ettercap.sourceforge.net/
> 
> Imho, ARP cache poisoning attacks are nothing related with potential
> switch leakage.
> 
> For the OP, I could experience leakage on old switches that turned to
> "hub mode" when flooded, but nowadays, serious products don't seem to
> have this kind of behaviour. Furthermore, you have plenty of options to
> tweak so they can't hit such situation, such as port security stuff.
> 
> --
> http://sid.rstack.org/
> PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
> >> Hi! I'm your friendly neighbourhood signature virus.
> >> Copy me to your signature file and help me spread!
> 
> 


-- 
Mohamed Eldesoky
www.eldesoky.net
RHCE

Re: OT: Switch packet leakage

[R. DuFresne]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 28 Mar 2005, Mohamed Eldesoky wrote:

> I faced that problem with many switches from cisco, foundry, 3com !!!
> The last switch I have tested was catalyst 3650 !!!
> It is not a bad switch, I guess !!!
>

Examples, can they be provided?

Thanks,

Ron DuFresne
- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         admin & senior security consultant:  sysinfo.com
                         http://sysinfo.com

...Love is the ultimate outlaw.  It just won't adhere to rules.
The most any of us can do is sign on as it's accomplice.  Instead
of vowing to honor and obey, maybe we should swear to aid and abet.
That would mean that security is out of the question.  The words
"make" and "stay" become inappropriate.  My love for you has no
strings attached.  I love you for free...
                         -Tom Robins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCR+2cst+vzJSwZikRAlYFAJ9bmH/NKDTpnF9BvYITCNSekXLzfgCfZX8m
d/FexS62VxsbQQUb9/2hiGc=
=obvf
-----END PGP SIGNATURE-----

Re: OT: Switch packet leakage

[Mohamed Eldesoky]

Examples of what ??
You mean packet captures ??
No need to provide it, since the source and destinations of those
packets, are not the machine from where I do sniffing, and it is not
the gateway, and these are not broadcasts, but TCP connections.

On Mon, 28 Mar 2005 06:42:16 -0500 (EST), R. DuFresne
<dufresne@sysinfo.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Mon, 28 Mar 2005, Mohamed Eldesoky wrote:
> 
> > I faced that problem with many switches from cisco, foundry, 3com !!!
> > The last switch I have tested was catalyst 3650 !!!
> > It is not a bad switch, I guess !!!
> >
> 
> Examples, can they be provided?
> 
> Thanks,
> 
> Ron DuFresne
> - --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>          admin & senior security consultant:  sysinfo.com
>                          http://sysinfo.com
> 
> ...Love is the ultimate outlaw.  It just won't adhere to rules.
> The most any of us can do is sign on as it's accomplice.  Instead
> of vowing to honor and obey, maybe we should swear to aid and abet.
> That would mean that security is out of the question.  The words
> "make" and "stay" become inappropriate.  My love for you has no
> strings attached.  I love you for free...
>                          -Tom Robins <Still Life With Woodpecker>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> 
> iD8DBQFCR+2cst+vzJSwZikRAlYFAJ9bmH/NKDTpnF9BvYITCNSekXLzfgCfZX8m
> d/FexS62VxsbQQUb9/2hiGc=
> =obvf
> -----END PGP SIGNATURE-----
> 


-- 
Mohamed Eldesoky
www.eldesoky.net

Re: OT: Switch packet leakage

[R. DuFresne]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 29 Mar 2005, Mohamed Eldesoky wrote:

> Examples of what ??
> You mean packet captures ??
> No need to provide it, since the source and destinations of those
> packets, are not the machine from where I do sniffing, and it is not
> the gateway, and these are not broadcasts, but TCP connections.
>

examples of exactly what kind of packet leakage you experienced on which 
vendors switches running what specific switch software.  Packet traces 
would be nice, but are not required.  You made the statement you commonly 
ran into these issues on various vendors products, I'm merely asking that 
you share specifics of the information you claim.

Thanks,

Ron DuFresne

> On Mon, 28 Mar 2005 06:42:16 -0500 (EST), R. DuFresne
> <dufresne@sysinfo.com> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On Mon, 28 Mar 2005, Mohamed Eldesoky wrote:
>>
>>> I faced that problem with many switches from cisco, foundry, 3com !!!
>>> The last switch I have tested was catalyst 3650 !!!
>>> It is not a bad switch, I guess !!!
>>>
>>
>> Examples, can they be provided?
>>
>> Thanks,
>>
>> Ron DuFresne
>> - --
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>          admin & senior security consultant:  sysinfo.com
>>                          http://sysinfo.com
>>
>> ...Love is the ultimate outlaw.  It just won't adhere to rules.
>> The most any of us can do is sign on as it's accomplice.  Instead
>> of vowing to honor and obey, maybe we should swear to aid and abet.
>> That would mean that security is out of the question.  The words
>> "make" and "stay" become inappropriate.  My love for you has no
>> strings attached.  I love you for free...
>>                          -Tom Robins <Still Life With Woodpecker>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.2.4 (GNU/Linux)
>>
>> iD8DBQFCR+2cst+vzJSwZikRAlYFAJ9bmH/NKDTpnF9BvYITCNSekXLzfgCfZX8m
>> d/FexS62VxsbQQUb9/2hiGc=
>> =obvf
>> -----END PGP SIGNATURE-----
>>
>
>
> --
> Mohamed Eldesoky
> www.eldesoky.net
>

- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         admin & senior security consultant:  sysinfo.com
                         http://sysinfo.com

...Love is the ultimate outlaw.  It just won't adhere to rules.
The most any of us can do is sign on as it's accomplice.  Instead
of vowing to honor and obey, maybe we should swear to aid and abet.
That would mean that security is out of the question.  The words
"make" and "stay" become inappropriate.  My love for you has no
strings attached.  I love you for free...
                         -Tom Robins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCSZJest+vzJSwZikRAjpKAKDQYlKAsExY3mCuSLnOcul94Yi2jACgynJZ
cotDVf79FOS8detCKmEz6mg=
=IQUw
-----END PGP SIGNATURE-----