Snort mailing list archives
Re: Re: FAQ 10/100 Hubs Block Other Speed Traffic
From: "Larry E. Smith Jr." <lsmithjr () monster-solutions net>
Date: Thu, 9 Aug 2001 10:57:22 -0400
This is just a cross over cable right? I made one and plugged one end into my snort box and the other into the hub and no go! ----- Original Message ----- From: "Dragos Ruiu" <dr () kyx net> To: "Murphy" <murphy () infomaniak ch> Cc: <snort-users () lists sourceforge net> Sent: Thursday, August 09, 2001 5:16 AM Subject: Re: [Snort-users] Re: FAQ 10/100 Hubs Block Other Speed Traffic
There's other good stuff in the FAQ too. Good detailed info in the second url. --dr 3.1 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: How do I setup snort on a 'stealth' interface? A: Bring up the interface without an IP address on it. See FAQ 3.2... http://www.geocrawler.com/archives/3/4890/2000/9/0/4399696/ A: Use an ethernet tap, or build your own 'receive-only' ethernet cable. http://personal.ie.cuhk.edu.hk/~msng0/sniffing_cable/index.htm A: Anyway, here is the cable I use: LAN Sniffer 1 -----\ /-- 1 2 ---\ | \-- 2 3 ---+-*------- 3 4 - | - 4 5 - | - 5 6 ---*-------- 6 7 - - 7 8 - - 8 Basically, 1 and 2 on the sniffer side are connected, 3 and 6 straight through to the LAN. 1 and 2 on the LAN side connect to 3 and 6 respectively. This fakes a link on both ends but only allows traffic from the LAN to the sniffer. It also causes the 'incoming' traffic to be sent back to the LAN, so this cable only works well on a hub. You can use it on a switch but you will get ...err... interesting results. Since the switch receives the packets back in on the port it sent them out, the MAC table gets confused and after a short while devices start to drop off the switch. Works like a charm on a hub though. On Wed, 08 Aug 2001, you wrote:Excellent point, which raises a slightly off topic question. Could we imagine making a special "tapping" CAT5 cable, that would, on
one
end of the cable have an extra twisted pair comming out (connected on
the Rx
on the normal wires) that would be used for tapping, by feeding those to
the
snort Box ? I realise, that if it worked, it would limit either incoming or outgoing traffic to be monitored, but still it's a very, very cheap solution when
you
can go for a switch that has port mirroring. Murphy. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of stefmit () starband net Sent: Thursday, August 09, 2001 00:40 To: snort-users () lists sourceforge net Subject: [Snort-users] Re: FAQ 10/100 Hubs Block Other Speed Traffic Great descriptions - just to throw in a "minor" thing: if you deal with full duplex on a switched port, only a tap would save you - have succesfully used Shomiti's ones on 100MB FD ports, and used two Snort instances, capturing traffic on both directions. Port mirroring didn't work in that case ... Stef _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Dragos Ruiu <dr () dursec com> dursec.com ltd. / kyx.net - we're from the
future
gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: RE: FAQ 10/100 Hubs Block Other Speed Traffic (was: RE: [Snort-users] External snort monitoring), (continued)
- RE: RE: FAQ 10/100 Hubs Block Other Speed Traffic (was: RE: [Snort-users] External snort monitoring) James Friesen (Aug 09)
- RE: RE: FAQ 10/100 Hubs Block Other Speed Traffic (was: RE: [Snort-users] External snort monitoring) James Friesen (Aug 10)
- Question? James Friesen (Aug 10)
- Re: Question? Jed Pickel (Aug 10)
- CODE RED III Mark Spieth (Aug 10)
- Re: CODE RED III Mike Baptiste (Aug 10)
- Re: FAQ 10/100 Hubs Block Other Speed Traffic (was: RE: [Snort-users] External snort monitoring) Jim Hankins (Aug 08)
- Re: FAQ 10/100 Hubs Block Other Speed Traffic stefmit (Aug 08)
- Re: FAQ 10/100 Hubs Block Other Speed Traffic Murphy (Aug 08)
- Re: Re: FAQ 10/100 Hubs Block Other Speed Traffic Dragos Ruiu (Aug 09)
- Re: Re: FAQ 10/100 Hubs Block Other Speed Traffic Larry E. Smith Jr. (Aug 09)
- Re: Re: FAQ 10/100 Hubs Block Other Speed Traffic Jeff Ito (Aug 09)
- Re: Re: FAQ 10/100 Hubs Block Other Speed Traffic Larry E. Smith Jr. (Aug 09)
- Re: FAQ 10/100 Hubs Block Other Speed Traffic Erek Adams (Aug 08)
- Re: Re: FAQ 10/100 Hubs Block Other Speed Traffic Larry E. Smith Jr. (Aug 08)
- Re: Re: FAQ 10/100 Hubs Block Other Speed Traffic Rich Adamson (Aug 08)
- Re: Re: FAQ 10/100 Hubs Block Other Speed Traffic Erek Adams (Aug 08)
- Re: Re: FAQ 10/100 Hubs Block Other Speed Traffic Rich Adamson (Aug 08)