Listen to UDP messages which are not sent as a broadcast

Question

Consider the following: I have a device which sends UDP messages to another device, both on the same switch. The UDP messages are not sent as a broadcast. Now I want to listen to these UDP messages with a third device, also connected to the same switch.

Now I've to choose the right switch and I'm not sure if I missed something: Is it correct that the UDP messages anyway are sent troughout all ports of the switch since a Layer2 switch doesn't know anything about addresses. Or in other words: Can I use any Layer2 switch, managed or unmanaged, as long as all devices are in the same subnet?

Thanks for your help! Simon

Answer 1

I think you're misunderstanding how works layer 2 in the TCP/IP model.

If a UDP datagram is sent to a specific machine on the network, it's layer 2 address should be the destination's MAC address and the switch will send it only to this machine as long as he's got the mac address in his CAM table (MAC address <-> physical port association) which should be the case as long as the machine is active on the network.

If you want to intercept packets between two machines, you can either mirror the physical port on the switch to copy informations received by this port, or make a ARP cache poison attack on the local network which will allow you to receive all traffic from one machine to another, also known as MITM attack (man in the middle) which is quite easy to produce on a linux machine.