Re: mirroring cable model traffic

[Alasdair Gow <alasdair.gow () lumison net>]

Is your interface in promiscuous mode? listening on 0.0.0.0, or just up 
without an ip


Chas Meyer wrote:
> Its a Linksys NH1005 10/100 5-port hub (I actually had to go to 
> Walmart to buy this thing since no one else sells hubs anymore 
> locally, only switches).  However, I decided to punk out and just set 
> up what was going to be my monitoring station as a 
> firewall/router/squid-server/snort/whatever-the-hell-else-I-want in 
> between my cable modem and my router/switch (which I put into bridge 
> mode).  This will give me more flexibility, and I should be able to 
> get meaningful IP info this way since I can monitor on the inside of 
> the NAT setup.  Works great - shorewall, squid, and snort are a breeze 
> to set up (I highly recommend it).  So now its off to return my hub to 
> the store and pick up a UPS for my newly minted router/server.
>
>
> On Apr 7, 2008, at 2:19 PM, Philip Fagan wrote:
>
> > What kind of hub?
> >
> >
> >
> > -----Original Message-----
> > From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
> > On Behalf Of Chas Meyer
> > Sent: Monday, April 07, 2008 12:35 AM
> > To: security-basics () securityfocus com
> > Subject: mirroring cable model traffic
> >
> > Just a quick question - I've decided to run snort on all the traffic
> > running in and out of my house.  Since my home switch is unmanaged (I
> > can't set up a mirror port), I've done it ghetto style.  I set up a
> > hub in between my cable modem and my router/switch and plugged the
> > interface on my server that I would like to use for sniffing into that
> > hub.  However, when I test this rig with tcpdump (using command: sudo
> > tcpdump -vvv -i eth0), all I am getting is arp requests on my ISP's
> > network, even with internet use from my local network.  Shouldn't I
> > also be seeing all the traffic that is originating and terminating at
> > my router/switch?  Any help would be great.  Thanks.


--
Alasdair Gow
Lumison
t: 0845 1199 900
d: 0131 514 4042

P.S. It's a hat-trick - Lumison have been nominated for best business broadband, best email and best VoIP provider for 
the 2008 ISPAs


--

This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed.  
If you have received this email in error please notify the sender. Any 
offers or quotation of service are subject to formal specification.  
Errors and omissions excepted.  Please note that any views or opinions 
presented in this email are solely those of the author and do not 
necessarily represent those of Lumison, nplusone or lightershade ltd.  
Finally, the recipient should check this email and any attachments for the 
presence of viruses.  Lumison, nplusone and lightershade ltd accepts no 
liability for any damage caused by any virus transmitted by this email.