Re: mirroring cable model traffic

["Ric Getter" <ric () rgetter com>]

--
Ric Getter
ric:getter communications
http://www.rgetter.com/
Portland, Oregon

> -----Original Message-----
> From: Robert Taylor [mailto:rgt () wi mit edu]
> Sent: Monday, April 7, 2008 05:04 PM
> To: 'Chas Meyer'
> Cc: security-basics () securityfocus com
> Subject: Re: mirroring cable model traffic
>
> Is it a dual speed hub? Dual speed hubs that I've used were essentially 
> 2 hubs(one running at 100mb and the other at 10mb) with a bridge between 
> the two of them in one box. So, if all the traffic is happening on at 
> 10mb, and your snort box negotiated to it at 100mb, all you will see is 
> broadcast traffic.
>
> Most cable modems are 10mb on the ethernet side, as is the wan port on 
> most embedded firewall boxes.
> I would guess that the nic in your snort pc is running at 100. Switch it 
> to 10mb if you can and I think that will solve it.
>
> Let me know if that works.
>
> rgt
>
> Chas Meyer wrote:
> > Just a quick question - I've decided to run snort on all the traffic 
> > running in and out of my house.  Since my home switch is unmanaged (I 
> > can't set up a mirror port), I've done it ghetto style.  I set up a hub 
> > in between my cable modem and my router/switch and plugged the interface 
> > on my server that I would like to use for sniffing into that hub.  
> > However, when I test this rig with tcpdump (using command: sudo tcpdump 
> > -vvv -i eth0), all I am getting is arp requests on my ISP's network, 
> > even with internet use from my local network.  Shouldn't I also be 
> > seeing all the traffic that is originating and terminating at my 
> > router/switch?  Any help would be great.  Thanks.