Re: mirroring cable model traffic

["Robert Taylor" <rgt () wi mit edu>]

Is it a dual speed hub? Dual speed hubs that I've used were essentially 
2 hubs(one running at 100mb and the other at 10mb) with a bridge between 
the two of them in one box. So, if all the traffic is happening on at 
10mb, and your snort box negotiated to it at 100mb, all you will see is 
broadcast traffic.

Most cable modems are 10mb on the ethernet side, as is the wan port on 
most embedded firewall boxes.
I would guess that the nic in your snort pc is running at 100. Switch it 
to 10mb if you can and I think that will solve it.

Let me know if that works.

rgt

Chas Meyer wrote:
> Just a quick question - I've decided to run snort on all the traffic 
> running in and out of my house.  Since my home switch is unmanaged (I 
> can't set up a mirror port), I've done it ghetto style.  I set up a hub 
> in between my cable modem and my router/switch and plugged the interface 
> on my server that I would like to use for sniffing into that hub.  
> However, when I test this rig with tcpdump (using command: sudo tcpdump 
> -vvv -i eth0), all I am getting is arp requests on my ISP's network, 
> even with internet use from my local network.  Shouldn't I also be 
> seeing all the traffic that is originating and terminating at my 
> router/switch?  Any help would be great.  Thanks.