RE: mirroring cable model traffic

["Burton Strauss" <security () smallnetsolutions com>]

As Dan says - you need a true hub, which are NOT easy to find.  The last one
I know worked was a Linksys, but only the one in the grey package - the
spiffy blue & black one was a switching hub.

Or, you can make a 10/100 Tap (you can make one yourself from parts
available @ Radio Shack, the hardware store et al - instructions are at
snort dot org. The trick there is that you need TWO interfaces as one port
of the tap is the tx (transmit) traffic and the other is the rx (receive).


-----Burton



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Dan Lynch
Sent: Friday, April 11, 2008 12:09 PM
To: Chas Meyer; security-basics () securityfocus com
Subject: RE: mirroring cable model traffic

I've seen this with modern hubs. Try using a much older model hub.

- Dan

Dan Lynch, CISSP
Information Technology Analyst
County of Placer
Auburn, CA

> -----Original Message-----
> From: listbounce () securityfocus com 
> [mailto:listbounce () securityfocus com] On Behalf Of Chas Meyer
> Sent: Sunday, April 06, 2008 11:35 PM
> To: security-basics () securityfocus com
> Subject: mirroring cable model traffic
>
> Just a quick question - I've decided to run snort on all the 
> traffic running in and out of my house.  Since my home switch 
> is unmanaged (I can't set up a mirror port), I've done it 
> ghetto style.  I set up a hub in between my cable modem and 
> my router/switch and plugged the interface on my server that 
> I would like to use for sniffing into that hub.  However, 
> when I test this rig with tcpdump (using command: sudo 
> tcpdump -vvv -i eth0), all I am getting is arp requests on my 
> ISP's network, even with internet use from my local network.  
> Shouldn't I also be seeing all the traffic that is 
> originating and terminating at my router/switch?  Any help 
> would be great.  Thanks.