Home page logo
/

basics logo Security Basics mailing list archives

Re: mirroring cable model traffic
From: Alasdair Gow <alasdair.gow () lumison net>
Date: Tue, 08 Apr 2008 09:17:20 +0100

Is your interface in promiscuous mode? listening on 0.0.0.0, or just up without an ip


Chas Meyer wrote:
Its a Linksys NH1005 10/100 5-port hub (I actually had to go to Walmart to buy this thing since no one else sells hubs anymore locally, only switches). However, I decided to punk out and just set up what was going to be my monitoring station as a firewall/router/squid-server/snort/whatever-the-hell-else-I-want in between my cable modem and my router/switch (which I put into bridge mode). This will give me more flexibility, and I should be able to get meaningful IP info this way since I can monitor on the inside of the NAT setup. Works great - shorewall, squid, and snort are a breeze to set up (I highly recommend it). So now its off to return my hub to the store and pick up a UPS for my newly minted router/server.


On Apr 7, 2008, at 2:19 PM, Philip Fagan wrote:

What kind of hub?



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Chas Meyer
Sent: Monday, April 07, 2008 12:35 AM
To: security-basics () securityfocus com
Subject: mirroring cable model traffic

Just a quick question - I've decided to run snort on all the traffic
running in and out of my house.  Since my home switch is unmanaged (I
can't set up a mirror port), I've done it ghetto style.  I set up a
hub in between my cable modem and my router/switch and plugged the
interface on my server that I would like to use for sniffing into that
hub.  However, when I test this rig with tcpdump (using command: sudo
tcpdump -vvv -i eth0), all I am getting is arp requests on my ISP's
network, even with internet use from my local network.  Shouldn't I
also be seeing all the traffic that is originating and terminating at
my router/switch?  Any help would be great.  Thanks.



--
Alasdair Gow
Lumison
t: 0845 1199 900
d: 0131 514 4042

P.S. It's a hat-trick - Lumison have been nominated for best business broadband, best email and best VoIP provider for 
the 2008 ISPAs


--

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Any offers or quotation of service are subject to formal specification. Errors and omissions excepted. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Lumison, nplusone or lightershade ltd. Finally, the recipient should check this email and any attachments for the presence of viruses. Lumison, nplusone and lightershade ltd accepts no liability for any damage caused by any virus transmitted by this email.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]