Snort mailing list archives
RE: eth0 without ip
From: "Hicks, John" <JHicks () JUSTICE GC CA>
Date: Wed, 5 Feb 2003 11:51:25 -0500
I did find a way to use a capacitor on the tranfer wire to enable it to send a *minimum* signal accross which will indicate a link, but not enough to allow traffic to cross over.
From the Intro:
Ethernet hubs (or switches) checks the "link status" of the cable, which is done by periodically detecting if any signal has ever been received. If you simply disconnect the transmit pair of the cable, the hub will not detect anything from the cable and therefore, report the cable as "not connected". The method here is tried to introduce large amount of errors in the transmission path, so that signal can still be detected, but almost no packet can pass the CRC error check. http://www.geocities.com/samngms/sniffing_cable/ HTH, John Hicks -----Original Message----- From: Matt Kettler [mailto:mkettler () evi-inc com] Sent: Monday, February 03, 2003 8:58 PM To: David Culp Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] eth0 without ip Ahh, given that it's a mirror port, the switch probably forwards packets always and ignores the input link signal. A lot of hardware won't do that. It will refuse to send unless there's a link-beat coming back in. At 08:36 PM 2/3/2003 -0500, David Culp wrote:
Thanks for the information ...
The eth1 (Headless) interface is using the "no transmit" cable
to "mirror" the switch port that our public router is connected to.
Other than hardware errors, it seems to be catching all traffic (sent/recv)
that is passing through the router.
Public Switch:
Port m <-> ISP Router
Port n <-> Snort eth1 interface (no transmit)
where the switch is set to mirror all traffic (<-> m) to n.
David
------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- eth0 without ip David Culp (Feb 03)
- Re: eth0 without ip Matt Kettler (Feb 03)
- Re: eth0 without ip David Culp (Feb 03)
- Re: eth0 without ip Matt Kettler (Feb 03)
- Re: eth0 without ip David Culp (Feb 03)
- <Possible follow-ups>
- RE: eth0 without ip Hicks, John (Feb 05)
- Re: eth0 without ip Matt Kettler (Feb 03)