Most IT pros have heard of CAM table overflow attacks or MAC address flooding attacks and understand at least the basic concept; send a ton of frames with different source MAC addresses to a switch, thereby causing the CAM table to fill and the switch begins to act more like a hub. While the basic idea is correct it’s not quite that simple. An important factor is how the switch manages the entries in the CAM table, Cisco switches maintain an entry until the aging timer for the entry expires. Even if the CAM table fills due to an attack the existing valid entries will continue to be honored and traffic for those addresses will not be flooded out all ports.
Have you ever wanted to view the traffic on a link without forcing it to half-duplex with a hub or spending an exorbitant amount of money on a aggregating tap? A cheap DIY passive tap may be your answer.
Before we get into the build lets explore the types of network taps and their pros and cons. Read the rest of this entry »