This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

mac flooding attack, unicast and sniffer

0

hi all,

If I'm not mistaken, in a switched environment a host will see all unicast (directly addressed to it) , broadcast (within same VLAN) and multicast (when belonging to the multicast group) frames.

Now let's consider that I run a MAC flooding attack on the switch in question. It fills up the whole MAC table ( 8.000, 16.000 entries, whatever).Now, Host A wants to connect to B (both on same switch, same VLAN). Host A has in his arp table the MAC address of host B. Host A sends the packet, it arrives on the switch (it will not learn the port Host A is on, because the CAM table is full) but it will not find Host B's MAC address as well (I know, that it can be present, but let's assume that it's not). So because Host A knew the MAC address of Host B I'm more than sure that Host A sends out an unicast frame. So the switch inspects it's CAM table looking for Host B's MAC and "says" i don't know where host B is at, so let me send the frame / packet to all ports. Even though it will send it to all ports it's still a unicast. My question now is (if all the above is correct), when I'm running Wireshark on host C (connected to same switch, same VLAN) will I be able to see the packet ? Or do I have to enable promiscuous mode inside Wireshark ?

thank you in advance!

BR

Adam

asked 06 Jan '16, 05:00

adasko's gravatar image

adasko
86343842
accept rate: 0%

edited 06 Jan '16, 05:02


One Answer:

2

Host C will receive the packet, but because the packet's destination MAC will differ from Host C's one, Host C's NIC will drop the packet before handing it over to software (kernel and, important for you, Wireshark) unless it is switched over to promiscuous mode. One of available ways how to switch a NIC to promiscuous mode is to do so using Wireshark.

answered 06 Jan '16, 05:48

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

edited 06 Jan '16, 05:57

What about broadcast ? Say, Host B's MAC is not in Host A's arp table, so it will start with arp request. Will all devices in the same VLAN see it(for example Host C) or will i have to enable promisc mode?

(06 Jan '16, 12:15) adasko

From the point of view of the NIC, a packet with broadcast dst MAC must be handed over to the software, so promiscuous mode is not necessary to let broadcast packets be captured.

Anticipating your next question, filtering of multicast packets is normally a job of the switch. The client uses IGMP to inform the switch in which multicast streams it is interested, and the switch does not send to it any others, so the NIC does not need to discriminate. On the other hand, not every switch supports IGMP controlled multicast filtering.

So I'd think that the NIC handles multicast packets the same way like broadcast ones, but I am not 100% sure here.

(06 Jan '16, 13:13) sindy

So I'd think that the NIC handles multicast packets the same way like > broadcast ones, but I am not 100% sure here.

Actually: NICs do filter IP multicast packets.

Specifically, when a client joins an IP multicast group, the IP address is mapped to an 'ethernet multicast group address' (I think that's the right terminology) and the NIC is configured to accept packets address to that ethernet address. (The mapping is not 1 to 1: A group if IP multicast addresses is mapped to an ethernet address).

Therefore, Host C will need to set promiscuous mode to see all the IP multicast packets (assuming that host C has not already joined an IP multicast which maps to the ethernet address for the IP multicast address which is to be monitored).

A web search finds lots of info:

E.g.,

http://www.dqnetworks.ie/toolsinfo.d/multicastaddressing.html

(06 Jan '16, 14:49) Bill Meier ♦♦