Snort mailing list archives
RE: Doing sniffing on interface without ip-address.
From: "Chavez Gutierrez, Freddy" <fchavez () intercorp com pe>
Date: Fri, 2 Nov 2001 17:50:53 -0500
This is an extract from http://www.snort.org/docs/faq.html : 3.1 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: How do I setup snort on a 'stealth' interface? A: Bring up the interface without an IP address on it. See FAQ 3.2... http://www.geocrawler.com/archives/3/4890/2000/9/0/4399696/ A: Use an ethernet tap, or build your own 'receive-only' ethernet cable. http://personal.ie.cuhk.edu.hk/~msng0/sniffing_cable/index.htm A: Anyway, here is the cable I use: LAN Sniffer 1 -----\ /-- 1 2 ---\ | \-- 2 3 ---+-*------- 3 4 - | - 4 5 - | - 5 6 ---*-------- 6 7 - - 7 8 - - 8 Basically, 1 and 2 on the sniffer side are connected, 3 and 6 straight through to the LAN. 1 and 2 on the LAN side connect to 3 and 6 respectively. This fakes a link on both ends but only allows traffic from the LAN to the sniffer. It also causes the 'incoming' traffic to be sent back to the LAN, so this cable only works well on a hub. You can use it on a switch but you will get ...err... interesting results. Since the switch receives the packets back in on the port it sent them out, the MAC table gets confused and after a short while devices start to drop off the switch. Works like a charm on a hub though. 3.2 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: How do I run snort on an interface with no IP address? A: ifconfig ethN up Freddy Chávez. -----Mensaje original----- De: Ashley Thomas [mailto:athomas () unity ncsu edu] Enviado el: Friday, November 02, 2001 5:15 PM Para: snort-users () lists sourceforge net Asunto: [Snort-users] Doing sniffing on interface without ip-address. hi, Where can i get some information how to listen on a network interface in PROMISCOUS mode without setting an ip-address on the interface. Any pointers / hints is welcome. thanks a lot Ashley _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Doing sniffing on interface without ip-address. Ashley Thomas (Nov 02)
- Re: Doing sniffing on interface without ip-address. Greg Sarsons (Nov 02)
- Re: Doing sniffing on interface without ip-address. Ashley Thomas (Nov 02)
- Re: Doing sniffing on interface without ip-address. Skip Carter (Nov 02)
- Re: Doing sniffing on interface without ip-address. Ashley Thomas (Nov 02)
- <Possible follow-ups>
- RE: Doing sniffing on interface without ip-address. Chavez Gutierrez, Freddy (Nov 02)
- Re: Doing sniffing on interface without ip-address. roel (Nov 02)
- RE: Doing sniffing on interface without ip-address. Kris Quinby (Nov 02)
- Re: Doing sniffing on interface without ip-address. Greg Sarsons (Nov 02)