Where this won't work is when "port security" has been enabled on the switch, a not uncommon practice. Your machine will now forward packets through its IP stack as if it was the gateway. The interesting machines will unwittingly send all gateway/default route destined traffic to your machine. It tricks your interested hosts (and the switch) that your machine MAC address now owns the IP of the old IP gateway by sending out a "gratuitous arp". Enter Ettercap which is an arp poisoning tool. So you need a way to act as an Ethernet bridge between the interesting hosts and their gateway but without being physically in the path. This still won't let them be captured by Wireshark/tcpdump, however. Most managed switches (not a dumb desktop one) allow you to designate a port mirror so that all Ethernet frames are replicated on a specific port where you can attach a machine in promiscuous mode and capture "foreign" Ethernet frames using tcpdump/Wireshark. Therefore, you will only see Ethernet frames destined to or originating from your NIC including broadcast Ethernet frames, such as ARP, but not foreign traffic.
This is to reduce collisions associated with Ethernet hubs (something you rarely see these days). The problem you have is that an Ethernet switch is designed so that it learns the MAC addresses on each port and uses this to "route" Ethernet frames to the correct port based on their MAC address.
You should be able to Wireshark/tcpdump the information you require. One way to achieve what you want is to use an arp poisoning tool, such as Ettercap.
0 kommentar(er)
