What exactly is Bridge Sniffing

sbobillierc · 01-18-2008, 02:38 PM

As far as I have read you use a PC with two Ethernet cards to sniff packages from a network but exactly how does it work? Ettercap has the option to use two network interfaces to do Bridge Sniffing but since I do not have a test envirmoent I haven't been able to test the stuff.

Anyone knows about it? Any recomended reading?

Thanks in advance.

**Cellus** · 01-20-2008, 08:40 AM

You don't actually need two. You can use one.

What you can do is run a sniffer on one interface in what is known as "promiscuous mode". Normally packets which are not addressed to you but are received by the interface are silently dropped, however in promiscuous mode they are not. This will allow you to use a protocol analyzer on all packets received through an interface.

I should note that this may not work as you intend over a switched network. Packets which are sent through a switch or router are, unlike hubs, not blindly broadcasted out on all ports (ie. multi-port bridge). Your NIC, running in promiscuous mode or not, can not capture packets not addressed to it if it never had the packets sent to it in the first place. However some switches and routers (mainly the non-Home/SOHO ones) have special ports on them which will infact send all packets through to it (useful for troubleshooting and for things like IDS) and/or can be configured to do so on regular ports.

01-18-2008, 02:38 PM	#1 (permalink)
sbobillierc Registered User Join Date: Jan 2008 Location: Colombia Posts: 9 OS: Windows XP SP 2 / Kubuntu 7.10 Gusty	What exactly is Bridge Sniffing As far as I have read you use a PC with two Ethernet cards to sniff packages from a network but exactly how does it work? Ettercap has the option to use two network interfaces to do Bridge Sniffing but since I do not have a test envirmoent I haven't been able to test the stuff. Anyone knows about it? Any recomended reading? Thanks in advance.

01-20-2008, 08:40 AM	#2 (permalink)
Cellus Moderator Networking Team Join Date: Aug 2006 Location: Canada Posts: 2,664 OS: Windows Vista Business SP1, Windows XP Professional SP3 My System	Re: What exactly is Bridge Sniffing You don't actually need two. You can use one. What you can do is run a sniffer on one interface in what is known as "promiscuous mode". Normally packets which are not addressed to you but are received by the interface are silently dropped, however in promiscuous mode they are not. This will allow you to use a protocol analyzer on all packets received through an interface. I should note that this may not work as you intend over a switched network. Packets which are sent through a switch or router are, unlike hubs, not blindly broadcasted out on all ports (ie. multi-port bridge). Your NIC, running in promiscuous mode or not, can not capture packets not addressed to it if it never had the packets sent to it in the first place. However some switches and routers (mainly the non-Home/SOHO ones) have special ports on them which will infact send all packets through to it (useful for troubleshooting and for things like IDS) and/or can be configured to do so on regular ports. __________________ TSF Networking Team Virus/Trojan/Spyware Removal Help Donate!