Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Weird sniffer results (leaking switches)

Status
Not open for further replies.
uair01

uair01

Technical User
Apr 17, 2006
1
NL
Recently I plugged a sniffer in a random network port during a security audit (with permission). This being a switched network, I expected to see a lot of broadcast traffic and maybe some netbios traffic to my Win2003Sp1 box. Switch theory says that I shouldn't see any traffic that's not destined for my box.

I was surprised to see a lot of traffic between other boxes. These are just little snippets of TCP/IP, not whole conversations. But I was able to see a lot of netbios, some ldap, http and even kerberos and telnet. The traffic I see is mostly one-way, I see traffic going A->B but (mostly) no traffic going B->A. The data I captured does not look very dangerous, but it could be used for traffic analysis.

At first I thought it was some bug or misconfiguration in the switch, but then I found the same thing in a sniffer trace of another customer (and a totally different network).

Probably I’m overlooking some obvious explanations and I’ll probably kick myself when I read your answers …

An excerpt from the Ethereal TCP-conversations statistics. The sniffer is at : 251.21.150.9, 255.255.255.0

Address A - Port A - Address B - Port B - Packets - Bytes - Packets A->B - Bytes A->B - Packets A<-B - Bytes A<-B -
251.21.150.7 - 4771 - 251.21.140.101 - microsoft-ds - 1 - 62 - 0 - 0 - 1 - 62 -
251.21.150.35 - 2802 - 251.21.140.4 - microsoft-ds - 1 - 62 - 0 - 0 - 1 - 62 -
251.21.150.18 - 2578 - 251.21.140.101 - microsoft-ds - 1 - 62 - 0 - 0 - 1 - 62 -
251.21.150.35 - 2827 - 251.21.140.4 - microsoft-ds - 1 - 62 - 0 - 0 - 1 - 62 -
251.21.150.7 - 4788 - 251.21.140.101 - microsoft-ds - 1 - 62 - 0 - 0 - 1 - 62 -
251.21.150.35 - 2831 - 251.21.140.4 - microsoft-ds - 1 - 62 - 0 - 0 - 1 - 62 -
251.21.140.101 - 3265 - 251.21.150.17 - netbios-ssn - 1 - 62 - 1 - 62 - 0 - 0 -
251.21.150.35 - 2839 - 251.21.140.4 - microsoft-ds - 1 - 62 - 0 - 0 - 1 - 62 -
251.21.150.18 - 2597 - 251.21.140.101 - microsoft-ds - 1 - 62 - 0 - 0 - 1 - 62 -
251.21.150.35 - 2821 - 251.21.140.4 - microsoft-ds - 1 - 62 - 0 - 0 - 1 - 62 -
251.21.150.18 - 2602 - 251.21.140.101 - microsoft-ds - 1 - 62 - 0 - 0 - 1 - 62 -
251.21.150.120 - 1360 - 251.21.140.102 - 1026 - 5 - 300 - 0 - 0 - 5 - 300 -
251.21.150.23 - 1768 - 251.21.140.101 - 1026 - 5 - 300 - 0 - 0 - 5 - 300 -
251.21.150.16 - 1908 - 251.21.140.101 - 1026 - 5 - 300 - 0 - 0 - 5 - 300 -

The number of “leaked” packets is relatively small. The total number of sniffed packets is 874194 and of these just 2885 are non-broadcast and not aimed at the sniffer IP.

LDAP snippet:

0.........d.......0.....0....R..subschemaSubentry1....9.7CN=Aggregate,
CN=Schema,CN=Configuration,DC=ABCDEF,DC=NL0...... dsServiceName1....k.iCN=NTDS Settings,CN=LOGINGHI03,CN=Servers,CN=TheCity-GHI-en-BXP,CN=Sites,CN=Configuration,DC=ABCDEF,DC=NL0....u..namingContexts1..
.._.*CN=Schema,CN=Configuration,DC=ABCDEF,DC=NL. CN=Configuration,DC=ABCDEF,DC=NL..DC=ABCDEF,DC=NL0....-..defaultNamingContext1.......DC=ABCDEF,DC=NL0....G..schemaNamingContext1...
.,.*CN=Schema,CN=Configuration,DC=ABCDEF,DC=NL0
....D..configurationNamingContext1....". CN=Configuration,DC=ABCDEF,DC=NL0....0..rootDomainNamingContext1.......DC=ABCDEF,DC=NL0.......supportedControl1.....
..1.2.840.131556.1.4.319..1.2.840.131556.1.4.801..1.2.840.
131556.1.4.473..1.2.840.131556.1.4.528..1.2.
840.131556.1.4.417..1.2.840.131556.1.4.619..1.2.840.131556.1.4.841..1.2.840.131556.1.4.529..1.2.840.131556.1.4.805..1.2.840.131556.1.
4.521..1.2.840.131556.1.4.970..1.2.840.131556.1.4.3138..1.2.840.131556.1.4.474..1.2.840.131556.1.4.3139..1.2.840.131556.1.4.3140..1.2.
840.131556.1.4.14310...."..supportedLDAPVersion1.......3..20.......supportedLDAPPolicies1.......MaxPoolThreads..MaxDatagramRecv..
MaxReceiveBuffer..InitRecvTimeout..MaxConnections.
.MaxConnIdleTime..MaxActiveQueries.
.MaxPageSize..MaxQueryDuration..MaxTempTableSize..MaxResultSetSize..MaxNotificationPerConn0....3..supportedSASLMechanisms1.......GSSAPI.
GSS-SPNEGO0....)..dnsHostName1.......loginghi03.ABCDEF.NL0....8..ldapServiceName1....
!..ABCDEF.NL:loginghi03$@ABCDEF.NL0....l.
serverName1....Z.XCN=LOGINGHI03,CN=Servers,CN=TheCity-GHI-en-BXP,CN=Sites,CN=Configuration,DC=ABCDEF,DC=NL0....N..supportedCapabilities1..
..1..1.2.840.131556.1.4.800
..1.2.840.131556.1.4.17910.........e.....
......


IP-adresses and domain names obfuscated.
 
Sort by date Sort by votes
It might also be possible that the configuration of the switch is somewhat narrow.
When a switch learns a MAC address from a switch port, it adds this MAC address with the corresponding switchport to the 'switchtable'.
When the table is full (no more room in the available memory) a method of purging happens. There even may be other processes (e.g. Time-out timers) who are responsible for initiating a 'purge' action.
after that the switch forgot at which switchport the MAC address was.
When another host wants to transmit information to the 'forgotten' MAC Address, the switch doesn't know which switchport it has to send the packets (because is just had decided to 'forget' that MAC address) and sends out the packets to all other ports.
When your Sniffer is attached to this switch you might see some information belonging to an existing session between two hosts.
When the destination MAC address responds back to the source MAC address, the switch again learns at which port the MAC address is attached and adds it to the 'switch table'. The next packets are now switched to the corresponding port and your sniffer sees nothing (until the next 'purge' action ......)



Promiscuous mode on your NIC means that your NIC accepts network packets, which are not addressed to your MAC address.

HTH
(feel free to correct me :)
 
Upvote 0 Downvote
PalmTest is probably right, althought the table doesn't need to be full for this to happen, necessarily. A switch will forward the following frames out all ports, by default:

* Broadcasts
* Multicasts
* Unicast traffic for unknown destinations

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

g33man
  • Locked
  • Question
different results from different LDAP browsers
Replies
0
Views
44
g33man
g33man
Phantaquh
  • Locked
  • Question
Weird answer from a Switch
Replies
2
Views
64
Phantaquh
Phantaquh
Papa4
  • Locked
  • Question
Alcatel Switches
Replies
1
Views
57
burtsbees
burtsbees
mikestips
  • Locked
  • Question
Sniffer question 1
Replies
6
Views
44
mikestips
mikestips
itnooby
  • Locked
  • Question
Dobut on monitor different model of CISCO Switches and Routers
Replies
0
Views
41
itnooby
itnooby

Part and Inventory Search

Sponsor

Back
Top