[unisog] Strange things from our residence.

Jerry A. Copus copus at uwplatt.edu
Wed Oct 23 14:23:36 GMT 2002

I seem to recall that the tool was called "dsniff". A Google search will 
turn up a lot about it, but SANS has a general write-up of the theory at 

--On Tuesday, October 22, 2002 6:06 PM -0700 "David P. Allen" 
<allendp at plu.edu> wrote:

> Pete Hickey wrote:
>> SO we've had a weird problem (on a subnet) in one of our residences.
>> It seems like people were gradually loosing connectivity.  What was
>> happening is that someone was sending out ethernet packets with a
>> source MAC address of FFFFFFFFFFFF..  A broadcast as the asource.


> Sound a lot like a tool I've seen that is designed to "overload" a
> switch's ARP cache and force broadcast of traffic to all ports.
>  Essentially turning a switch into a hub until it eventually relearns
> everyone's port location.  Obviously, this tool is designed to provide a
> mechanism for sniffing even on a supposed "secure" segment, but it does
> have its drawbacks.  Not the least of which is the obvious user
> reactions of "something is broken".
> BTW, for anyone interested, I can't remember the name of the utility at
> the moment, but will supply it (once I remember) upon request.
> --
> David P. Allen
> Network Manager
> Pacific Lutheran University
> { (253) 535-7524          | "...one of the main causes of the fall of  }
> { allendp at PLU.edu         |  Rome was that, lacking zero, they had no  }
> { www.plu.edu/~allendp    |  way to indicate successful termination of }
> {                         |  their C programs."         --Robert Firth }

                 Jerry A. Copus -- Network Administrator
                  University of Wisconsin - Platteville
       Don't be afraid to take a big step if one is indicated.
   You can't cross a chasm in two small jumps. -- David Lloyd George

More information about the unisog mailing list