mailing list archives
RE: Read Only Ethernet Cable
From: "David Gillett" <gillettdavid () fhda edu>
Date: Wed, 12 Feb 2003 19:29:27 -0800
I'm assuming here by the information you've given so if I'm
wrong please correct me. You want to make a cable that allows
the traffic to go in one direction. the idea being that your
snort box does not send information just receives it. I don't
think you can do this with a special cable as ethernet need to
be able to send acks back to let the sending side know that it
received that data.
This would be true ONLY if the snort box were the intended
destination of the traffic. BUT IT'S NOT!
The snort box just wants to sniff traffic passing by it,
between other endpoints. As long as the endpoints can
acknowledge each other, the traffic will flow.
On a "repeated segment" (hub or mirrored switch port), the
traffic will be visible at the snort box's NIC, and can be seen
as long as the NIC is in promiscuous mode. The read-only cable
ensures that nothing on the snort box will give itself away by
sending on this segment, so
(a) full duplex still works without fear of collisions, and
(b) techniques for detecting sniffers will fail.
The question is: Is the wiring diagram correct?
It looks about right to me, but I don't have a spec handy to
check it against.