Wireshark-users: Re: [Wireshark-users] How Did I See These Packets?

From: "Kevin Morton" <wireshark@xxxxxxxxx>
Date: Fri, 16 Nov 2007 13:01:44 -0600 (CST)
Another possibility that you might want to look into is invalid settings
for subnet mask/default gateway on the pc's or switches involved, as well
as if somebody did something very strange like creating static arp entries
on the pc or the switch that may have used to be correct but aren't
anymore.  I've seen corrupted arp tables or specific entries on switches
that would cause this behavior, too.


Kevin.

> I recently installed a new managed switch at a Customer location.
> Initially, the only connections to the new switch
> were two local PCs, my monitoring PC, and the link to the Customer's
> network.  I noticed what seemed to be excessive
> traffic on the network (lots of blinky lights), so I turned on Wireshark
> to see what might be going on in the
> broadcast/multicast world.
>
> What I found was a TCP session transferring cleartext data from one PC to
> another.  The two PCs were on two separate
> switches elsewhere in the network (see text diagram below):
>
> PC1----SWITCH 1-----|
>                     |
>                CORE SWITCH----NEW SWITCH----MONITORING PC
>                     |
> PC2----SWITCH 2-----|
>
> There was no port mirroring active on the new switch.  This is a flat
> class B network (Note: we are working to correct
> that).  My monitoring PC address was in a different subnet.
>
> Disregarding the security implications (according the the Customer's IS
> tech, the owners of the two machines were in
> separate departments, and there was no reason for them to be communicating
> the information found in the packets), I
> don't understand how I could even see this info.
>
> Assuming that something happened to cause a switch to fall into hub mode,
> then it would have needed to happen on at
> least two switches (including my new switch), and I would have expected to
> see collisions in the high traffic
> environment around the core switch.  None were captured.
>
> Any ideas on how those packets appeared at a remote switch port?
>
> Jon "Buddy" McManus
> Wireless Communications, Inc.
> bmcmanus@xxxxxxxxxxxxxx
>
>
>
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users
>