Security Basics mailing list archives
Re: mirroring cable model traffic
From: Alasdair Gow <alasdair.gow () lumison net>
Date: Tue, 08 Apr 2008 09:17:20 +0100
Is your interface in promiscuous mode? listening on 0.0.0.0, or just up without an ip
Chas Meyer wrote:
Its a Linksys NH1005 10/100 5-port hub (I actually had to go to Walmart to buy this thing since no one else sells hubs anymore locally, only switches). However, I decided to punk out and just set up what was going to be my monitoring station as a firewall/router/squid-server/snort/whatever-the-hell-else-I-want in between my cable modem and my router/switch (which I put into bridge mode). This will give me more flexibility, and I should be able to get meaningful IP info this way since I can monitor on the inside of the NAT setup. Works great - shorewall, squid, and snort are a breeze to set up (I highly recommend it). So now its off to return my hub to the store and pick up a UPS for my newly minted router/server.On Apr 7, 2008, at 2:19 PM, Philip Fagan wrote:What kind of hub? -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Chas Meyer Sent: Monday, April 07, 2008 12:35 AM To: security-basics () securityfocus com Subject: mirroring cable model traffic Just a quick question - I've decided to run snort on all the traffic running in and out of my house. Since my home switch is unmanaged (I can't set up a mirror port), I've done it ghetto style. I set up a hub in between my cable modem and my router/switch and plugged the interface on my server that I would like to use for sniffing into that hub. However, when I test this rig with tcpdump (using command: sudo tcpdump -vvv -i eth0), all I am getting is arp requests on my ISP's network, even with internet use from my local network. Shouldn't I also be seeing all the traffic that is originating and terminating at my router/switch? Any help would be great. Thanks.
-- Alasdair Gow Lumison t: 0845 1199 900 d: 0131 514 4042 P.S. It's a hat-trick - Lumison have been nominated for best business broadband, best email and best VoIP provider for the 2008 ISPAs --This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Any offers or quotation of service are subject to formal specification. Errors and omissions excepted. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Lumison, nplusone or lightershade ltd. Finally, the recipient should check this email and any attachments for the presence of viruses. Lumison, nplusone and lightershade ltd accepts no liability for any damage caused by any virus transmitted by this email.
Current thread:
- mirroring cable model traffic Chas Meyer (Apr 07)
- Re: mirroring cable model traffic Gleb Paharenko (Apr 07)
- RE: mirroring cable model traffic Philip Fagan (Apr 07)
- Re: mirroring cable model traffic Chas Meyer (Apr 07)
- Re: mirroring cable model traffic Alasdair Gow (Apr 08)
- Re: mirroring cable model traffic Chas Meyer (Apr 07)
- Re: mirroring cable model traffic Robert Taylor (Apr 08)
- RE: mirroring cable model traffic Dan Lynch (Apr 11)
- RE: mirroring cable model traffic Burton Strauss (Apr 12)
- Re: mirroring cable model traffic Security / Cisco (Apr 12)
- RE: mirroring cable model traffic Rony Cohen (Apr 14)
- RE: mirroring cable model traffic Burton Strauss (Apr 12)
- <Possible follow-ups>
- Re: mirroring cable model traffic Ric Getter (Apr 08)
- Re: mirroring cable model traffic Julius Turk (Apr 12)
- Re: mirroring cable model traffic Jeff Stebelton (Apr 14)