Re: Only seeing arp traffic?

["Thorin" <thorinoakenshield () mediaone net>]

Righto -
You're on a Cable modem - attached to some sort of switch upstream.
That would be why you can see only broadcast traffic (all attached devices
will) and traffic directed expressly at you on what looks to be your segment
in Cranston, RI (from the resolved hostnames).

I'm assuming this is a second interface - in place to monitor traffic
destined to your local net?

--Thorin


----- Original Message -----
From: "Paul Asadoorian" <paul.com () home com>
To: "Snort-Users" <snort-users () lists sourceforge net>
Sent: Thursday, July 05, 2001 20:53
Subject: [Snort-users] Only seeing arp traffic?


> I have the following configuration:
>
> Cable Modem
>         /\
>          |
>          |
>         \/
>     HUB <-----> Snort IDS with No IP address (OpenBSD 2.7 Sparc 20, snort
> 1.7rel2)
>         /\
>          |
>          |
>         \/
>    UGate-3200 Firewall
>         /\
>          |
>          |
>         \/
> Rest of network
>
> (All lines are catV ethernet, The one to the cable modem is plugged into
the
> xover port on the hub, every other host on the network is running a-okay).
> Here is a sample of the traffic that I have been seeing:
>
> # tcpdump -i hme0
> tcpdump: WARNING: hme0: no IPv4 address assigned
> tcpdump: listening on hme0
> 20:02:02.967846 arp who-has 24.7.7.127 tell 24.7.7.1
> 20:02:07.827799 arp who-has 24.7.7.127 tell 24.7.7.1
> 20:02:10.378441 arp who-has 24.7.7.127 tell 24.7.7.1
> 20:02:14.391034 arp who-has 24.7.7.127 tell 24.7.7.1
> 20:02:14.823077 arp who-has 65.11.234.220 tell 65.11.234.129
> 20:02:15.277576 10.67.142.1.bootps > 255.255.255.255.bootpc:  xid:0x39ac
> flags:0x8000 Y:10.108.47.8 S:24.2.0.14 G:10.67.142.1 ether
0:20:40:b4:39:ac
> [|bootp]
> 20:02:15.375589 10.67.142.1.bootps > 255.255.255.255.bootpc:  xid:0x39ac
> flags:0x8000 Y:10.108.47.8 S:24.2.0.14 G:10.67.142.1 ether
0:20:40:b4:39:ac
> file ""[|bootp]
> 20:02:16.549517 arp who-has 24.7.7.127 tell 24.7.7.1
> 20:02:17.746115 arp who-has 65.11.234.220 tell 65.11.234.129
> 20:02:23.864878 arp who-has 65.11.234.220 tell 65.11.234.129
> 20:02:33.062801 arp who-has 24.7.7.127 tell 24.7.7.1
> 20:02:36.455231 arp who-has 24.7.7.127 tell 24.7.7.1
> 20:02:40.404566 arp who-has 24.7.7.127 tell 24.7.7.1
> 20:02:41.068053 arp who-has 24.18.130.137 tell 24.18.130.1
> 20:02:43.233819 arp who-has 24.7.7.127 tell 24.7.7.1
> 20:02:44.042454 arp who-has 24.18.130.137 tell 24.18.130.1
>
> I found the bootp traffic particularly interesting, but I would really
like
> to see more common IP trafffic (like TCP, UDP, ICMP maybe? :-)
>
> Any help is greatly appreciated.  Thanks, in advance....
>
> Paul
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users