Security Basics mailing list archives
Re: mirroring cable model traffic
From: Security / Cisco <security () davidswafford com>
Date: Sat, 12 Apr 2008 14:22:47 -0400
Why not just pick up a Cisco 2950 and use port mirroring to accomplish this goal? Seams to me that it would be a bit simpler and more stable than an ancient hub or some handmade tap device.
David On Apr 12, 2008, at 1:25 PM, Burton Strauss wrote:
As Dan says - you need a true hub, which are NOT easy to find. The last one I know worked was a Linksys, but only the one in the grey package - thespiffy blue & black one was a switching hub. Or, you can make a 10/100 Tap (you can make one yourself from partsavailable @ Radio Shack, the hardware store et al - instructions are at snort dot org. The trick there is that you need TWO interfaces as one port of the tap is the tx (transmit) traffic and the other is the rx (receive).-----Burton -----Original Message-----From: listbounce () securityfocus com [mailto:listbounce () securityfocus com ] OnBehalf Of Dan Lynch Sent: Friday, April 11, 2008 12:09 PM To: Chas Meyer; security-basics () securityfocus com Subject: RE: mirroring cable model traffic I've seen this with modern hubs. Try using a much older model hub. - Dan Dan Lynch, CISSP Information Technology Analyst County of Placer Auburn, CA-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Chas Meyer Sent: Sunday, April 06, 2008 11:35 PM To: security-basics () securityfocus com Subject: mirroring cable model traffic Just a quick question - I've decided to run snort on all the traffic running in and out of my house. Since my home switch is unmanaged (I can't set up a mirror port), I've done it ghetto style. I set up a hub in between my cable modem and my router/switch and plugged the interface on my server that I would like to use for sniffing into that hub. However, when I test this rig with tcpdump (using command: sudo tcpdump -vvv -i eth0), all I am getting is arp requests on my ISP's network, even with internet use from my local network. Shouldn't I also be seeing all the traffic that is originating and terminating at my router/switch? Any help would be great. Thanks.
Current thread:
- mirroring cable model traffic Chas Meyer (Apr 07)
- Re: mirroring cable model traffic Gleb Paharenko (Apr 07)
- RE: mirroring cable model traffic Philip Fagan (Apr 07)
- Re: mirroring cable model traffic Chas Meyer (Apr 07)
- Re: mirroring cable model traffic Alasdair Gow (Apr 08)
- Re: mirroring cable model traffic Chas Meyer (Apr 07)
- Re: mirroring cable model traffic Robert Taylor (Apr 08)
- RE: mirroring cable model traffic Dan Lynch (Apr 11)
- RE: mirroring cable model traffic Burton Strauss (Apr 12)
- Re: mirroring cable model traffic Security / Cisco (Apr 12)
- RE: mirroring cable model traffic Rony Cohen (Apr 14)
- RE: mirroring cable model traffic Burton Strauss (Apr 12)
- <Possible follow-ups>
- Re: mirroring cable model traffic Ric Getter (Apr 08)
- Re: mirroring cable model traffic Julius Turk (Apr 12)
- Re: mirroring cable model traffic Jeff Stebelton (Apr 14)