Snort mailing list archives
RE: Read-Only Ethernet cable
From: Frank Knobbe <FKnobbe () KnobbeITS com>
Date: Tue, 19 Jun 2001 20:00:40 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
-----Original Message----- From: Thomas Nilsen [mailto:Thomas.Nilsen () Kverneland com] Sent: Tuesday, June 19, 2001 9:35 AM Back in January you posted a diagram for a read-only Ethernet cable (http://archives.neohapsis.com/archives/snort/2001-01/0055.htm l) that could be use with Snort to secure a sniffing NIC. The diagram looked like this: LAN Sniffer 1 -----\ /-- 1 2 ---\ | \-- 2 3 ---+-*------- 3 4 - | - 4 5 - | - 5 6 ---*-------- 6 7 - - 7 8 - - 8
Thomas, actually it looks like this: LAN Sniffer 1 -----\ /-- 1 2 ---\ | \-- 2 3 ---+-*------- 3 4 - | - 4 5 - | - 5 6 ---*--------- 6 7 - - 7 8 - - 8 If there is a problem with spaces, the diagram below uses dots instead of spaces. LAN.......Sniffer 1.-----\..../--.1 2.---\.|....\--.2 3.---+-*-------.3 4.-..|........-.4 5.-..|........-.5 6.---*---------.6 7.-...........-.7 8.-...........-.8
From the description to the diagram, you say you connect 1 & 2 to 3 & 6 and vice versa on the other side
Nope. 3 & 6 go from one side to 3 & 6 on the other. Then _on_one_side_only_ you connect 1 to 3 and 2 to 6. This will be the LAN side. On the sniffer side you connect 1 directly to 2. Again, make sure you connect the LAN side into a hub, not a switch. Hope this helps. Regards, Frank PS: Is anyone else using this successfully? Am I the only one? :) It would be great to get some feedback from folks using it (offline please, not to the list) - --->8--- Basically, 1 and 2 on the sniffer side are connected, 3 and 6 straight through to the LAN. 1 and 2 on the LAN side connect to 3 and 6 respectively. This fakes a link on both ends but only allows traffic from the LAN to the sniffer. It also causes the 'incoming' traffic to be sent back to the LAN, so this cable only works well on a hub. You can use it on a switch but you will get ...err... interesting results. Since the switch receives the packets back in on the port it sent them out, the MAC table gets confused and after a short while devices start to drop off the switch. Works like a charm on a hub though. -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.8 Comment: PGP or S/MIME encrypted email preferred. iQA/AwUBOy/1uJytSsEygtEFEQLMqwCg+HsvezDiTCbcSqZ84zhcmo42s9YAoJT6 tDH+nhQo5vq3G4wTxzgG8iES =moNH -----END PGP SIGNATURE----- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Read-Only Ethernet cable Thomas Nilsen (Jun 19)
- Re: Read-Only Ethernet cable Joshua Stein (Jun 19)
- <Possible follow-ups>
- RE: Read-Only Ethernet cable Frank Knobbe (Jun 19)
- RE: RE: Read-Only Ethernet cable Thomas Nilsen (Jun 21)
- RE: RE: Read-Only Ethernet cable Ryan Russell (Jun 21)
- RE: RE: Read-Only Ethernet cable Frank Knobbe (Jun 21)