Spanning Tree Protocol

Discussion in 'Capsa Network Analyzer' started by Searching_ _ _, Feb 4, 2010.

Thread Status:
Not open for further replies.
  1. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Is Spanning Tree Protocol manipulation a serious threat to network security?

    Does the Spanning Tree Protocol manipulation offer an attacker similar functionality as ARP poisoning?

    If I have 3 computers and a router am I susceptible to this attack?
     
  2. Colasoft Support

    Colasoft Support Colasoft Moderator

    Joined:
    Dec 6, 2007
    Posts:
    254
    I suggest you read the article of STP again.
    For deatils you can refer to http://en.wikipedia.org/wiki/Spanning_tree_protocol

    If there is not any devices except switch being used, you can capture STP packets.
    The key function of STP is to prevent bridge loops and ensuing broadcast radiation. Otherwise, it must bring a boradcast and make the network down.
     
  3. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Yes. I have read that. I have also read this:
    http://www.javvin.com/networksecurity/SpanningTreeProtocolManipulation.html

    I am receiving STP packets every 2 seconds. I don't know if this is normal for my network or a possible attack.
    Wan Coax=||=[_FiOS-STB1_]
    **************||
    **************||==[_FiOS-STB2_]
    **************||
    **************||==[router/firewall enabled]==[computer/firewall enabled]
    *=formatting for alignment
    STB1 and STB2 are listed by router/firewall as LAN with LAN address even though they are on the WAN side.
    If I take the STB's out of the network I still receive the STP packets @ 2 second intervals.
    I have been reading many articles on STP, CISCO, SecurityFocus...they have better illustrations, though it hasn't improved my understanding a lot.

    Thanks
     
    Last edited: Feb 5, 2010
  4. Colasoft Support

    Colasoft Support Colasoft Moderator

    Joined:
    Dec 6, 2007
    Posts:
    254
    Well, for example, two Cisco 2900XL switches castcade. It received a STP packet per 2 seconds, and the destination is 01:80:C2:00:00:00. The 2 seconds should called Hello BPDU Interval or Hello Time. It is normal.

    If there are a large number of STP packets in the network, according to the frequency of STP packets, you can pinpoint whether a network problem.
    If there is not any devices except switch being used STP, you can try to remove router or firewall, and then check whether the STP traffic increased.
     
  5. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    STP Conf. Root = 61440/4095/ff:ff:06:a6:cb:cc Cost = 0 Port = 0x8004
    Message Age: 0
    Max Age: 20
    Hello Time: 2
    Forward Delay: 15

    Destination: Spanning-tree-(for-bridges)_00 (01:80:c2:00:00:00)
    How did you know?

    The first line above includes a mac address of one device inside the router. I will have to check and see if it is wifi, coax, ethernet or such.

    So I can chalk it up to normal activity?
     
  6. Colasoft Support

    Colasoft Support Colasoft Moderator

    Joined:
    Dec 6, 2007
    Posts:
    254
    Yes. According to the message you mentioned, your network is normal if there is not any other network problems.
     
  7. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    I am new to capturing packets and learning to analyze them.

    Thank you for the explanation.
     
  8. Colasoft Support

    Colasoft Support Colasoft Moderator

    Joined:
    Dec 6, 2007
    Posts:
    254
    That's great. If you have any questions later, just feel free to post here.
     
Thread Status:
Not open for further replies.