mailing list archives
Re: mirroring cable model traffic
From: Chas Meyer <chas.meyer () gmail com>
Date: Mon, 7 Apr 2008 15:05:55 -0500
Its a Linksys NH1005 10/100 5-port hub (I actually had to go to
Walmart to buy this thing since no one else sells hubs anymore
locally, only switches). However, I decided to punk out and just set
up what was going to be my monitoring station as a firewall/router/
squid-server/snort/whatever-the-hell-else-I-want in between my cable
modem and my router/switch (which I put into bridge mode). This will
give me more flexibility, and I should be able to get meaningful IP
info this way since I can monitor on the inside of the NAT setup.
Works great - shorewall, squid, and snort are a breeze to set up (I
highly recommend it). So now its off to return my hub to the store
and pick up a UPS for my newly minted router/server.
On Apr 7, 2008, at 2:19 PM, Philip Fagan wrote:
What kind of hub?
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com
On Behalf Of Chas Meyer
Sent: Monday, April 07, 2008 12:35 AM
To: security-basics () securityfocus com
Subject: mirroring cable model traffic
Just a quick question - I've decided to run snort on all the traffic
running in and out of my house. Since my home switch is unmanaged (I
can't set up a mirror port), I've done it ghetto style. I set up a
hub in between my cable modem and my router/switch and plugged the
interface on my server that I would like to use for sniffing into that
hub. However, when I test this rig with tcpdump (using command: sudo
tcpdump -vvv -i eth0), all I am getting is arp requests on my ISP's
network, even with internet use from my local network. Shouldn't I
also be seeing all the traffic that is originating and terminating at
my router/switch? Any help would be great. Thanks.