Home page logo

basics logo Security Basics mailing list archives

RE: Read Only Ethernet Cable
From: "David Gillett" <gillettdavid () fhda edu>
Date: Wed, 12 Feb 2003 19:29:27 -0800

I'm assuming here by the information you've given so if I'm 
wrong please correct me. You want to make a cable that allows 
the traffic to go in one direction. the idea being that your 
snort box does not send information just receives it. I don't 
think you can do this with a special cable as ethernet need to 
be able to send acks back to let the sending side know that it 
received that data.

  This would be true ONLY if the snort box were the intended 
destination of the traffic.  BUT IT'S NOT!
  The snort box just wants to sniff traffic passing by it, 
between other endpoints.  As long as the endpoints can 
acknowledge each other, the traffic will flow.
  On a "repeated segment" (hub or mirrored switch port), the
traffic will be visible at the snort box's NIC, and can be seen
as long as the NIC is in promiscuous mode.  The read-only cable
ensures that nothing on the snort box will give itself away by
sending on this segment, so

(a) full duplex still works without fear of collisions, and

(b) techniques for detecting sniffers will fail.

  The question is:  Is the wiring diagram correct?

  It looks about right to me, but I don't have a spec handy to
check it against.

David Gillett

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]