Re: Re: FAQ 10/100 Hubs Block Other Speed Traffic

["Larry E. Smith Jr." <lsmithjr () monster-solutions net>]

yeah I know. But the instructions for a read only cable that Murphy was
talking about was a cross over cable. anyone know how to properly make a
read only cat5 cable?

----- Original Message -----
From: "Jeff Ito" <jeff () delnoch net>
To: "Larry E. Smith Jr." <lsmithjr () monster-solutions net>
Cc: "Dragos Ruiu" <dr () kyx net>; "Murphy" <murphy () infomaniak ch>;
<snort-users () lists sourceforge net>
Sent: Thursday, August 09, 2001 12:23 PM
Subject: Re: [Snort-users] Re: FAQ 10/100 Hubs Block Other Speed Traffic


> machine->hub is a straight through, not a cross-over
>
> jeff
>
> > This is just a cross over cable right? I made one and plugged one end
into
> > my snort box and the other into the hub and no go!
> >
> >
> > ----- Original Message -----
> > From: "Dragos Ruiu" <dr () kyx net>
> > To: "Murphy" <murphy () infomaniak ch>
> > Cc: <snort-users () lists sourceforge net>
> > Sent: Thursday, August 09, 2001 5:16 AM
> > Subject: Re: [Snort-users] Re: FAQ 10/100 Hubs Block Other Speed Traffic
> >
> >
> > > There's other good stuff in the FAQ too.
> > > Good detailed info in the second url. --dr
> > >
> > > 3.1 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
> > > Q:  How do I setup snort on a 'stealth' interface?
> > >
> > > A:  Bring up the interface without an IP address on it. See FAQ 3.2...
> > >     http://www.geocrawler.com/archives/3/4890/2000/9/0/4399696/
> > > A:  Use an ethernet tap, or build your own 'receive-only' ethernet
cable.
> > >     http://personal.ie.cuhk.edu.hk/~msng0/sniffing_cable/index.htm
> > > A:  Anyway, here is the cable I use:
> > >
> > >     LAN Sniffer
> > >     1 -----\ /-- 1
> > >     2 ---\ | \-- 2
> > >     3 ---+-*------- 3
> > >     4 - | - 4
> > >     5 - | - 5
> > >     6 ---*-------- 6
> > >     7 - - 7
> > >     8 - - 8
> > >
> > >     Basically, 1 and 2 on the sniffer side are connected, 3 and 6
> > >     straight through to the LAN. 1 and 2 on the LAN side connect to 3
and
> > >     6 respectively. This fakes a link on both ends but only allows
> > >     traffic from the LAN to the sniffer. It also causes the 'incoming'
> > >     traffic to be sent back to the LAN, so this cable only works well
on
> > >     a hub. You can use it on a switch but you will get ...err...
> > >     interesting results. Since the switch receives the packets back in
on
> > >     the port it sent them out, the MAC table gets confused and after a
> > >     short while devices start to drop off the switch. Works like a
charm
> > >     on a hub though.
> > >
> > >
> > >
> > >
> > > On Wed, 08 Aug 2001, you wrote:
> > > > Excellent point, which raises a slightly off topic question.
> > > >
> > > > Could we imagine making a special "tapping" CAT5 cable, that would,
on
> > one
> > > > end of the cable have an extra twisted pair comming out (connected
on
> > the Rx
> > > > on the normal wires) that would be used for tapping, by feeding
those to
> > the
> > > > snort Box ?
> > > > I realise, that if it worked, it would limit either incoming or
outgoing
> > > > traffic to be monitored, but still it's a very, very cheap solution
when
> > you
> > > > can go for a switch that has port mirroring.
> > > >
> > > > Murphy.
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: snort-users-admin () lists sourceforge net
> > > > [mailto:snort-users-admin () lists sourceforge net]On Behalf Of
> > > > stefmit () starband net
> > > > Sent: Thursday, August 09, 2001 00:40
> > > > To: snort-users () lists sourceforge net
> > > > Subject: [Snort-users] Re: FAQ 10/100 Hubs Block Other Speed Traffic
> > > >
> > > >
> > > > Great descriptions - just to throw in a "minor" thing: if you deal
with
> > > > full duplex on a switched port, only a tap would save you - have
> > > > succesfully used Shomiti's ones on 100MB FD ports, and used two
> > > > Snort instances, capturing traffic on both directions. Port
mirroring
> > > > didn't work in that case ...
> > > >
> > > > Stef
> > > >
> > > >
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users () lists sourceforge net
> > > > Go to this URL to change user options or unsubscribe:
> > > > http://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > --
> > > Dragos Ruiu <dr () dursec com>   dursec.com ltd. / kyx.net - we're from
the
> > future
> > > gpg/pgp key on file at wwwkeys.pgp.net or at
http://dursec.com/drkey.asc
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > http://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users