Home page logo

basics logo Security Basics mailing list archives

Re: mirroring cable model traffic
From: Chas Meyer <chas.meyer () gmail com>
Date: Mon, 7 Apr 2008 15:05:55 -0500

Its a Linksys NH1005 10/100 5-port hub (I actually had to go to Walmart to buy this thing since no one else sells hubs anymore locally, only switches). However, I decided to punk out and just set up what was going to be my monitoring station as a firewall/router/ squid-server/snort/whatever-the-hell-else-I-want in between my cable modem and my router/switch (which I put into bridge mode). This will give me more flexibility, and I should be able to get meaningful IP info this way since I can monitor on the inside of the NAT setup. Works great - shorewall, squid, and snort are a breeze to set up (I highly recommend it). So now its off to return my hub to the store and pick up a UPS for my newly minted router/server.

On Apr 7, 2008, at 2:19 PM, Philip Fagan wrote:

What kind of hub?

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com ]
On Behalf Of Chas Meyer
Sent: Monday, April 07, 2008 12:35 AM
To: security-basics () securityfocus com
Subject: mirroring cable model traffic

Just a quick question - I've decided to run snort on all the traffic
running in and out of my house.  Since my home switch is unmanaged (I
can't set up a mirror port), I've done it ghetto style.  I set up a
hub in between my cable modem and my router/switch and plugged the
interface on my server that I would like to use for sniffing into that
hub.  However, when I test this rig with tcpdump (using command: sudo
tcpdump -vvv -i eth0), all I am getting is arp requests on my ISP's
network, even with internet use from my local network.  Shouldn't I
also be seeing all the traffic that is originating and terminating at
my router/switch?  Any help would be great.  Thanks.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]