Even if a switch floods all ports, it does not change the fact the packet will not have the correct MAC address and his NIC should never pass it up the stack. Switches do not rewrite the Ethernet addresses on packets.
Correct, ethernet switches do not. The question is, what were the systems in question connecting to? Many hotels bought into proprietary broadband systems, some of which are still in service. Just because there's an ethernet port in the room says nothing about the hotel's internal net. Some of them did(do) a very poor job of encapsulating or translating the ethernet (or even layer 3, some of them were IP-only) at the room, converting to some other p-t-p method (i.e. atm pvc logic, similar to dsl), and again converting (badly) back downstairs. It's entirely possible the next IP speaking box in line does not, in fact, know what the MAC of the client PC on the end of the line actually is. Room 2037A gets the traffic for room 2037A, regardless of what the router's arp cache or the switch's mac map actually says. The MAC seen may very well be generated by the concentrating equipment and not the peecee. Even if the IP is negotiated with the node, a la pppoe, there's no certainty that the traffic isn't modified in between. Without speaking to someone "in the know" about the hotel, there's no telling what actually happened. All of which misses the issue he suggested, that traffic in any public arena must be viewed as suspect. Yes, Corporations who rely on an edge firewall solution and do not standardize on some form of node protection and audit process are likely exposing themselves to this sort of thing all the time. Should they fix it? Probably, but few of them are employing me/us, so there's nothing I or most here can do about it. That's not a technical problem. :-\ -- Ray Wong rayw@rayw.net