Home page logo

basics logo Security Basics mailing list archives

Re: mirroring cable model traffic
From: "Ric Getter" <ric () rgetter com>
Date: Tue, 08 Apr 2008 14:51:17 +0000


Ric Getter
ric:getter communications
Portland, Oregon

-----Original Message-----
From: Robert Taylor [mailto:rgt () wi mit edu]
Sent: Monday, April 7, 2008 05:04 PM
To: 'Chas Meyer'
Cc: security-basics () securityfocus com
Subject: Re: mirroring cable model traffic

Is it a dual speed hub? Dual speed hubs that I've used were essentially 
2 hubs(one running at 100mb and the other at 10mb) with a bridge between 
the two of them in one box. So, if all the traffic is happening on at 
10mb, and your snort box negotiated to it at 100mb, all you will see is 
broadcast traffic.

Most cable modems are 10mb on the ethernet side, as is the wan port on 
most embedded firewall boxes.
I would guess that the nic in your snort pc is running at 100. Switch it 
to 10mb if you can and I think that will solve it.

Let me know if that works.


Chas Meyer wrote:
Just a quick question - I've decided to run snort on all the traffic 
running in and out of my house.  Since my home switch is unmanaged (I 
can't set up a mirror port), I've done it ghetto style.  I set up a hub 
in between my cable modem and my router/switch and plugged the interface 
on my server that I would like to use for sniffing into that hub.  
However, when I test this rig with tcpdump (using command: sudo tcpdump 
-vvv -i eth0), all I am getting is arp requests on my ISP's network, 
even with internet use from my local network.  Shouldn't I also be 
seeing all the traffic that is originating and terminating at my 
router/switch?  Any help would be great.  Thanks.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]