# What exactly is Bridge Sniffing



## sbobillierc (Jan 10, 2008)

As far as I have read you use a PC with two Ethernet cards to sniff packages from a network but exactly how does it work? Ettercap has the option to use two network interfaces to do Bridge Sniffing but since I do not have a test envirmoent I haven't been able to test the stuff.

Anyone knows about it? Any recomended reading?

Thanks in advance.


----------



## Cellus (Aug 31, 2006)

You don't actually need two. You can use one.

What you can do is run a sniffer on one interface in what is known as "promiscuous mode". Normally packets which are not addressed to you but are received by the interface are silently dropped, however in promiscuous mode they are not. This will allow you to use a protocol analyzer on all packets received through an interface.

I should note that this may not work as you intend over a switched network. Packets which are sent through a switch or router are, unlike hubs, not blindly broadcasted out on all ports (ie. multi-port bridge). Your NIC, running in promiscuous mode or not, can not capture packets not addressed to it if it never had the packets sent to it in the first place. However some switches and routers (mainly the non-Home/SOHO ones) have special ports on them which will infact send all packets through to it (useful for troubleshooting and for things like IDS) and/or can be configured to do so on regular ports.


----------

