Snort mailing list archives
Re: eth0 without ip
From: "David Culp" <dculp () sc rr com>
Date: Mon, 3 Feb 2003 20:36:08 -0500
Thanks for the information ... The eth1 (Headless) interface is using the "no transmit" cable to "mirror" the switch port that our public router is connected to. Other than hardware errors, it seems to be catching all traffic (sent/recv) that is passing through the router. Public Switch: Port m <-> ISP Router Port n <-> Snort eth1 interface (no transmit) where the switch is set to mirror all traffic (<-> m) to n. David ----- Original Message ----- From: "Matt Kettler" <mkettler () evi-inc com> To: "David Culp" <dculp () sc rr com>; <snort-users () lists sourceforge net> Sent: Monday, February 03, 2003 8:07 PM Subject: Re: [Snort-users] eth0 without ip
Hmm, I'd not recommend trying to simply "cut the tx pair" with twisted
pair
ethernet (10 or 100mbit). You won't get an ethernet link when doing so unless your hub is broken and/or badly designed. (then again, lots of hardware is in fact broken) This mechanism does work when cutting the TX pin of an AUI connector
however.
The snort FAQ has some documentation about how to properly make a receive only ethernet cable that should work for hubed 10mbit applications. (it's essentially a cut TX pair at the ethernet side, with feed-back from the ethernet's RX pair to the hub's RX.) http://www.snort.org/docs/faq.html#3.1 100mbit or switched is trickier to do "real hardware receive only"
cabling,
you need to make a "denatured" cable that has the pairs mismatched. This winds up with a cable with the wrong impedance that works for the short link-check pattern, but fails for real packets. Or buy a commercial
tapping
device for it. At 06:52 PM 2/3/2003 -0500, David Culp wrote:The best method is to cut the "transmit pair" on the cable from the "public" interface. David
------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- eth0 without ip David Culp (Feb 03)
- Re: eth0 without ip Matt Kettler (Feb 03)
- Re: eth0 without ip David Culp (Feb 03)
- Re: eth0 without ip Matt Kettler (Feb 03)
- Re: eth0 without ip David Culp (Feb 03)
- <Possible follow-ups>
- RE: eth0 without ip Hicks, John (Feb 05)
- Re: eth0 without ip Matt Kettler (Feb 03)