Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1189
Views
5
Helpful
4
Replies

mac flooding attack, unicast and sniffer

Go to solution
AdamBudzinski
Level 1
Level 1

‎01-06-2016 04:38 AM - edited ‎03-08-2019 03:18 AM

hi all,

happy new year to all the support forums members!

If I'm not mistaken, in a switched environment a host will see all unicast (directly addressed to it) , broadcast (within same VLAN) and multicast (when belonging to the multicast group) frames.

Now let's consider that I run a MAC flooding attack on the switch in question. It fills up the whole MAC table ( 8.000, 16.000 entries, whatever).Now, Host A wants to connect to B (both on same switch, same VLAN). Host A has in his arp table the MAC address of host B. Host A sends the packet, it arrives on the switch (it will not learn the port Host A is on, because the CAM table is full) but it will not find Host B's MAC address as well (I know, that it can be present, but let's assume that it's not). So because Host A knew the MAC address of Host B I'm more than sure that Host A sends out an unicast frame. So the switch inspects it's CAM table looking for Host B's MAC and "says" i don't know where host B is at, so let me send the frame / packet to all ports. Even though it will send it to all ports it's still a unicast. My question now is (if all the above is correct). When I'm running any sniffer on host C (connected to same switch, same VLAN) will I be able to see the packet ? Or do I have to enable promiscuous mode inside Wireshark ?

thank you in advance!

BR

Adam  

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to AdamBudzinski

‎01-06-2016 02:30 PM

Hi Adam,

But in case of broadcast frames each and every host on same VLAN would see them, correct ? Or would I still have to enable promisc mode ?

I suppose you are still asking about sniffing and Wireshark. In that case, broadcast frames would be visible in Wireshark regardless of the promisc mode setting.

So the frame arrives with dest mac set to FF:FF:FF:FF:FF and each host looks at the frame, next the network layer and all hosts (but not the one with the IP in question) would drope the fames / packet. OK, so I guess I would still have to have promisc enabled

What you have described is a correct processing of a broadcast frame including its payload by the NIC driver and the IP driver. However, Wireshark works at a fairly low level - it ties itself relatively near to the NIC driver. Every frame that is received by a NIC and handed over to the operating system for further processing is also copied to Wireshark. So even though the IP driver may find out that the IP packet is for someone else and drops it, Wireshark will nonetheless show the frame. The trick is only in getting the NIC to accept the frame in the first place. If the frame is a broadcast frame, the NIC will accept it automatically. If the frame is unicast/multicast and you want still your NIC to accept it even if it is not intended for that particular NIC, you need to use the promisc mode.

Please feel welcome to ask further!

Best regards,
Peter

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎01-06-2016 05:16 AM

Hi Adam,

Happy New Year to you, too! Nice to see you here again!

My question now is (if all the above is correct).

Yes, that analysis is correct.

When I'm running any sniffer on host C (connected to same switch, same VLAN) will I be able to see the packet ? Or do I have to enable promiscuous mode inside Wireshark ?

You will need to enable the promiscuous mode in Wireshark, otherwise the network card on Host C would ignore the frame as it is not destined to its MAC address. Note that Wireshark automatically configures the promisc mode on the network card where traffic capturing is performed, so you do not actually need to configure anything special - Wireshark does this by default.

Best regards,
Peter

Go to solution
AdamBudzinski
Level 1
Level 1
In response to Peter Paluch

‎01-06-2016 07:59 AM

Hi Peter,

thank you :-) ! 

But in case of broadcast frames each and every host on same VLAN would see them, correct ? Or would I still have to enable promisc mode ? 

So the frame arrives with dest mac set to FF:FF:FF:FF:FF and each host looks at the frame, next the network layer and all hosts (but not the one with the IP in question) would drope the fames / packet. OK, so I guess I would still have to have promisc enabled, correct Peter? 

Looking forward to hearing from you! 

BR

Adam 

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to AdamBudzinski

‎01-06-2016 02:30 PM

Hi Adam,

But in case of broadcast frames each and every host on same VLAN would see them, correct ? Or would I still have to enable promisc mode ?

I suppose you are still asking about sniffing and Wireshark. In that case, broadcast frames would be visible in Wireshark regardless of the promisc mode setting.

So the frame arrives with dest mac set to FF:FF:FF:FF:FF and each host looks at the frame, next the network layer and all hosts (but not the one with the IP in question) would drope the fames / packet. OK, so I guess I would still have to have promisc enabled

What you have described is a correct processing of a broadcast frame including its payload by the NIC driver and the IP driver. However, Wireshark works at a fairly low level - it ties itself relatively near to the NIC driver. Every frame that is received by a NIC and handed over to the operating system for further processing is also copied to Wireshark. So even though the IP driver may find out that the IP packet is for someone else and drops it, Wireshark will nonetheless show the frame. The trick is only in getting the NIC to accept the frame in the first place. If the frame is a broadcast frame, the NIC will accept it automatically. If the frame is unicast/multicast and you want still your NIC to accept it even if it is not intended for that particular NIC, you need to use the promisc mode.

Please feel welcome to ask further!

Best regards,
Peter

0 Helpful

Go to solution
AdamBudzinski
Level 1
Level 1
In response to Peter Paluch

‎01-08-2016 05:09 AM

Hi Peter,

thank you very much for taking time to answer and clear my doubts !

Best Regards

Adam 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card