Odd sniffer results when connected to PC port of phone

Robert Milanovich · ‎08-09-2004

We have a 7940 phone that's connected to a 3650 switch and when a sniffer was plugged into it's PC Port, you were able to "sniff" multiple separate UDP voice streams from other phones to gateways and voicemail. Moving this phone to a 3550 switch produced the same results.

We have a separate voice vlan and everything is configured with autoQOS. Based on how switches operate, I shouldn't see anything but the traffic destined for the PC, right? Anyone else see this kind of behavior?

jasyoung · ‎08-09-2004

The little two/three-port switch in the phone (remember that one port goes to the phone itself) isn't a normal switch. By default, all the traffic destined for the phone is also forwarded out the PC port. You can think of it like a switch that forwards traffic like a hub. You can turn this behavior off in newer versions of CallManager.

If you're seeing RTP streams for conversations that your phone isn't participating in, that would be a problem. I'm not sure why that would be, but your 3560/3550 switch shouldn't be sending it to your phone at all.

somsitc · ‎08-23-2004

It is by default that the sniffer in PC port can see the voice traffic of its phone. If it is security concern and you want to disable this behavior. Try to disable the Gratitious ARP and PC Voice VLAN Access in phone characteristic.

smahrous · ‎08-23-2004

Is that behaviour will also appear even the voice has a different vlan other than the data , I mean the port in the switch is configured as :-

switchport trunk encapsulation dot1q

switchport trunk native vlan 202

switchport mode trunk

switchport voice vlan 20

no ip address

spanning-tree portfast

So how the sniffer will see the voice traffic , As Cisco says the IP Phone has an integrated switch so it can read the Vlan tag ,

Can any one explain to me this please !!!

netfusion · ‎08-24-2004

Remeber the switchport is configure as a trunk, which will see all traffic for all vlan unless you implement vlan pruning. I would configure the switchports only to allow the native and voice vlan.

smahrous · ‎08-25-2004

Forgive me , Could you please explain it more ,

I know that the switch port is configured as a trunk but how the sniffer on the PC could detect the voice packets on the phone which it is connected to .,as both are in different vlans.

ceyerly · ‎09-03-2004

The phone can read and write the vlan tag, but by default doesn't forward based on it. Also, the phones do not keep a CAM table. So, like a hub, all packets into the phone get sent out all of the ports. Theoretically, all PC traffic would be sent out the interal IP phone port as well.

lfulgenzi · ‎09-04-2004

We saw this too and opened a case with the TAC. We were concerned that this was visible for a number of reasons.

Turns out, the switch in the phone acts a little like a hub as well, it was specially programmed to do so as an aid to troubleshoot voice problems. Where we saw being able to sniff voice traffic as a security issue, they saw it as a tool.

Could go either way really.

Anyways, in 3.3(3)sr4a there is the ability to turn this off at the Call Manager. We have not tested this yet, but I will be soon. If we see no ill effects, I'll be deploying this change cross-campus.