From: Robert Taylor [mailto:rgt () wi mit edu]
Sent: Monday, April 7, 2008 05:04 PM
To: 'Chas Meyer'
Cc: security-basics () securityfocus com
Subject: Re: mirroring cable model traffic
Is it a dual speed hub? Dual speed hubs that I've used were essentially
2 hubs(one running at 100mb and the other at 10mb) with a bridge between
the two of them in one box. So, if all the traffic is happening on at
10mb, and your snort box negotiated to it at 100mb, all you will see is
Most cable modems are 10mb on the ethernet side, as is the wan port on
most embedded firewall boxes.
I would guess that the nic in your snort pc is running at 100. Switch it
to 10mb if you can and I think that will solve it.
Let me know if that works.
Chas Meyer wrote:
Just a quick question - I've decided to run snort on all the traffic
running in and out of my house. Since my home switch is unmanaged (I
can't set up a mirror port), I've done it ghetto style. I set up a hub
in between my cable modem and my router/switch and plugged the interface
on my server that I would like to use for sniffing into that hub.
However, when I test this rig with tcpdump (using command: sudo tcpdump
-vvv -i eth0), all I am getting is arp requests on my ISP's network,
even with internet use from my local network. Shouldn't I also be
seeing all the traffic that is originating and terminating at my
router/switch? Any help would be great. Thanks.