01-06-2016 04:38 AM - edited 03-08-2019 03:18 AM
hi all,
happy new year to all the support forums members!
If I'm not mistaken, in a switched environment a host will see all unicast (directly addressed to it) , broadcast (within same VLAN) and multicast (when belonging to the multicast group) frames.
Now let's consider that I run a MAC flooding attack on the switch in question. It fills up the whole MAC table ( 8.000, 16.000 entries, whatever).Now, Host A wants to connect to B (both on same switch, same VLAN). Host A has in his arp table the MAC address of host B. Host A sends the packet, it arrives on the switch (it will not learn the port Host A is on, because the CAM table is full) but it will not find Host B's MAC address as well (I know, that it can be present, but let's assume that it's not). So because Host A knew the MAC address of Host B I'm more than sure that Host A sends out an unicast frame. So the switch inspects it's CAM table looking for Host B's MAC and "says" i don't know where host B is at, so let me send the frame / packet to all ports. Even though it will send it to all ports it's still a unicast. My question now is (if all the above is correct). When I'm running any sniffer on host C (connected to same switch, same VLAN) will I be able to see the packet ? Or do I have to enable promiscuous mode inside Wireshark ?
thank you in advance!
BR
Adam
Solved! Go to Solution.
01-06-2016 02:30 PM
Hi Adam,
But in case of broadcast frames each and every host on same VLAN would see them, correct ? Or would I still have to enable promisc mode ?
I suppose you are still asking about sniffing and Wireshark. In that case, broadcast frames would be visible in Wireshark regardless of the promisc mode setting.
So the frame arrives with dest mac set to FF:FF:FF:FF:FF and each host looks at the frame, next the network layer and all hosts (but not the one with the IP in question) would drope the fames / packet. OK, so I guess I would still have to have promisc enabled
What you have described is a correct processing of a broadcast frame including its payload by the NIC driver and the IP driver. However, Wireshark works at a fairly low level - it ties itself relatively near to the NIC driver. Every frame that is received by a NIC and handed over to the operating system for further processing is also copied to Wireshark. So even though the IP driver may find out that the IP packet is for someone else and drops it, Wireshark will nonetheless show the frame. The trick is only in getting the NIC to accept the frame in the first place. If the frame is a broadcast frame, the NIC will accept it automatically. If the frame is unicast/multicast and you want still your NIC to accept it even if it is not intended for that particular NIC, you need to use the promisc mode.
Please feel welcome to ask further!
Best regards,
Peter
01-06-2016 05:16 AM
Hi Adam,
Happy New Year to you, too! Nice to see you here again!
My question now is (if all the above is correct).
Yes, that analysis is correct.
When I'm running any sniffer on host C (connected to same switch, same VLAN) will I be able to see the packet ? Or do I have to enable promiscuous mode inside Wireshark ?
You will need to enable the promiscuous mode in Wireshark, otherwise the network card on Host C would ignore the frame as it is not destined to its MAC address. Note that Wireshark automatically configures the promisc mode on the network card where traffic capturing is performed, so you do not actually need to configure anything special - Wireshark does this by default.
Best regards,
Peter
01-06-2016 07:59 AM
Hi Peter,
thank you :-) !
But in case of broadcast frames each and every host on same VLAN would see them, correct ? Or would I still have to enable promisc mode ?
So the frame arrives with dest mac set to FF:FF:FF:FF:FF and each host looks at the frame, next the network layer and all hosts (but not the one with the IP in question) would drope the fames / packet. OK, so I guess I would still have to have promisc enabled, correct Peter?
Looking forward to hearing from you!
BR
Adam
01-06-2016 02:30 PM
Hi Adam,
But in case of broadcast frames each and every host on same VLAN would see them, correct ? Or would I still have to enable promisc mode ?
I suppose you are still asking about sniffing and Wireshark. In that case, broadcast frames would be visible in Wireshark regardless of the promisc mode setting.
So the frame arrives with dest mac set to FF:FF:FF:FF:FF and each host looks at the frame, next the network layer and all hosts (but not the one with the IP in question) would drope the fames / packet. OK, so I guess I would still have to have promisc enabled
What you have described is a correct processing of a broadcast frame including its payload by the NIC driver and the IP driver. However, Wireshark works at a fairly low level - it ties itself relatively near to the NIC driver. Every frame that is received by a NIC and handed over to the operating system for further processing is also copied to Wireshark. So even though the IP driver may find out that the IP packet is for someone else and drops it, Wireshark will nonetheless show the frame. The trick is only in getting the NIC to accept the frame in the first place. If the frame is a broadcast frame, the NIC will accept it automatically. If the frame is unicast/multicast and you want still your NIC to accept it even if it is not intended for that particular NIC, you need to use the promisc mode.
Please feel welcome to ask further!
Best regards,
Peter
01-08-2016 05:09 AM
Hi Peter,
thank you very much for taking time to answer and clear my doubts !
Best Regards
Adam
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide