As Dan says - you need a true hub, which are NOT easy to find. The
I know worked was a Linksys, but only the one in the grey package -
spiffy blue & black one was a switching hub.
Or, you can make a 10/100 Tap (you can make one yourself from parts
available @ Radio Shack, the hardware store et al - instructions are
snort dot org. The trick there is that you need TWO interfaces as
of the tap is the tx (transmit) traffic and the other is the rx
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com
Behalf Of Dan Lynch
Sent: Friday, April 11, 2008 12:09 PM
To: Chas Meyer; security-basics () securityfocus com
Subject: RE: mirroring cable model traffic
I've seen this with modern hubs. Try using a much older model hub.
Dan Lynch, CISSP
Information Technology Analyst
County of Placer
From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com] On Behalf Of Chas Meyer
Sent: Sunday, April 06, 2008 11:35 PM
To: security-basics () securityfocus com
Subject: mirroring cable model traffic
Just a quick question - I've decided to run snort on all the
traffic running in and out of my house. Since my home switch
is unmanaged (I can't set up a mirror port), I've done it
ghetto style. I set up a hub in between my cable modem and
my router/switch and plugged the interface on my server that
I would like to use for sniffing into that hub. However,
when I test this rig with tcpdump (using command: sudo
tcpdump -vvv -i eth0), all I am getting is arp requests on my
ISP's network, even with internet use from my local network.
Shouldn't I also be seeing all the traffic that is
originating and terminating at my router/switch? Any help
would be great. Thanks.