Re: mirroring cable model traffic

[Chas Meyer <chas.meyer () gmail com>]

Its a Linksys NH1005 10/100 5-port hub (I actually had to go to  
Walmart to buy this thing since no one else sells hubs anymore  
locally, only switches).  However, I decided to punk out and just set  
up what was going to be my monitoring station as a firewall/router/ 
squid-server/snort/whatever-the-hell-else-I-want in between my cable  
modem and my router/switch (which I put into bridge mode).  This will  
give me more flexibility, and I should be able to get meaningful IP  
info this way since I can monitor on the inside of the NAT setup.   
Works great - shorewall, squid, and snort are a breeze to set up (I  
highly recommend it).  So now its off to return my hub to the store  
and pick up a UPS for my newly minted router/server.


On Apr 7, 2008, at 2:19 PM, Philip Fagan wrote:

> What kind of hub?
>
>
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com 
> ]
> On Behalf Of Chas Meyer
> Sent: Monday, April 07, 2008 12:35 AM
> To: security-basics () securityfocus com
> Subject: mirroring cable model traffic
>
> Just a quick question - I've decided to run snort on all the traffic
> running in and out of my house.  Since my home switch is unmanaged (I
> can't set up a mirror port), I've done it ghetto style.  I set up a
> hub in between my cable modem and my router/switch and plugged the
> interface on my server that I would like to use for sniffing into that
> hub.  However, when I test this rig with tcpdump (using command: sudo
> tcpdump -vvv -i eth0), all I am getting is arp requests on my ISP's
> network, even with internet use from my local network.  Shouldn't I
> also be seeing all the traffic that is originating and terminating at
> my router/switch?  Any help would be great.  Thanks.