IDS mailing list archives
Sniffing split connections
From: Chris Mills <securinate () gmail com>
Date: Mon, 11 Apr 2005 11:37:29 -0500
Hi all- Here's the problem I'm having: I have a client site that has two physical connections from its ATM switch that connect to two different providers. The ATM switch uses both connections all the time (not set up as a failover.) The ATM switch at the site will not let me mirror the ports so I can't sniff there... and after the two providers, the connection is too fast for my equipment. I am using Snort 2.3.2 on PowerEdge 1750's. If I place a sniffer at both provider A and provider B, is there a way I can reassemble the traffic so I can see complete sessions? The two providers are on different sides of town. |--------|PROVIDER A|\ Client Site| |-----------|INTERNET| |--------|PROVIDER B|/ Thanks very much, Chris -------------------------------------------------------------------------- Stop hurting your network! The NeVO passive vulnerability sensor continuously finds vulnerabilities, applications and new hosts without the need for network scanning. It also finds compromised systems with application-based intrusion detection. Go to http://www.tenablesecurity.com/products/nevo.shtml to learn more. --------------------------------------------------------------------------
Current thread:
- Sniffing split connections Chris Mills (Apr 13)
- Re: Sniffing split connections Richard Bejtlich (Apr 15)
- Re: Sniffing split connections Tony Carter (Apr 15)
- Re: Sniffing split connections rusty chiles (Apr 15)
- Re: Sniffing split connections Chris Mills (Apr 15)
- Re: Sniffing split connections Adam Powers (Apr 20)
- <Possible follow-ups>
- RE: Sniffing split connections Geff Ambrose (Apr 15)
- Re: Sniffing split connections Barrett G . Lyon (Apr 20)
- Re: Sniffing split connections Johann_van_Duyn (Apr 19)