Re: Setting up a Windowz Interface to monitor with no IP Address

["Scot Scot" <scotw () hotmail com>]

As noted, there are several methods for yanking packets off the wire in 
Windows without assigning a layer three address. As Cliff notes below, not 
all devices and services will function properly if the native TCP/IP suite 
provider stack is disabled. For both stability and reliability I would 
recommend leaving the native IP stack in place and removing associated 
values the stack may choose to "slap" on the wire.

My 2.12534 Cents Worth (Tax Included)

Scot

> From: CJATeck () aol com

> I found in early testing that WinPCap did NOT always work correctly (I
> understand WinPCap is supposed to work at layer 2 directly with the NIC
> interface driver and as such a full IP stack should not be needed) when the
> MS TCP/IP stack was disabled, this may not be others experience as I have
> noted several different proceedures that appear to work addressed on these
> mailing lists. I can only tell you what works for me. If you have find a
> better way to make a wheel, more power to ya.
> The END result is what is important, a secure sensor that can not be 
> detected
> or intruded upon.
>
> Cliff (smile)
>
> In a message dated 6/28/2002 11:40:34 AM Eastern Daylight Time,
> Keith.McCammon () eadvancemed com writes:
> > Am I missing something!?!  Why steps two through four?  There's no 
> reason to
> > have TCP/IP enabled at all on that interface.  Winpcap is doing the 
> work,
> > not the (shady) Windows IP stack.
> >
> > >> -----Original Message-----
> >> From: CJATeck () aol com [mailto:CJATeck () aol com]
> >> Sent: Friday, June 28, 2002 11:25 AM
> >> To: McCammon, Keith; tslighter () itc nrcs usda gov;
> >> michaels () silicondefense com; scotw () hotmail com
> >> Cc: snort-users () lists sourceforge net
> >> Subject: Re: [Snort-users] Setting up a Windowz Interface to monitor 
> with
> >> no IP Address
> >>
> >>
> >> I do NOT use the registry hack although I am aware of it, for my 
> "External
> >> Interface" I do the following.
> >>
> >> 1) I use a copper tap (Finisar) as the physical device to intercept
> >> traffic between my boundary router and the outside firewall interface, 
> as
> >> this is a "recieve only" device, it provides protection at the OSI 
> phyical
> >> layer.
> >> 2) On a WIN32 box I disable ALL but the TCP/IP stack. (NO file& print, 
> NO
> >> MS client, ect)
> >> 3) I leave the interface set for "DHCP", no hard IP info (NO unicast
> >> address, NO subnet, NO DNS, ect)
> >> 4) I disable the DHCP service.
> >>
> >> RESULT- provides a promiscuous interface that is protected from 
> detection
> >> and intrusion at both layer 1 and layer 3 of the OSI model.
> >>
> >> Hope this clarify things.
> >>
> >> Cliff
> >>
> >> In a message dated 6/28/2002 11:07:52 AM Eastern Daylight Time,
> >> Keith.McCammon () eadvancemed com writes:
> >> >>> How about just disabling TCP/IP on that interface by un-checking 
> the
> >>> component?  Why muck around with the registry?
> >>>
> >>> >>>> -----Original Message-----
> >>>> To: tslighter () itc nrcs usda gov; michaels () silicondefense com;
> >>>> scotw () hotmail com
monitor
> >>>> with no IP Address
> >>>>
> >>>>
> >>>
> >>
> >




-----------------------------------------------------------
"It's all about the Pentium"
                             -Weird AL
-----------------------------------------------------------


_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Caffeinated soap. No kidding.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users