Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Only seeing arp traffic?

From: "Hawrylkiw, Dan G" <dan.g.hawrylkiw () intel com>
Date: Fri, 6 Jul 2001 08:25:23 -0700

Most cable modems act as dumb bridges, so you'll only see traffic destined
for your IP(s) and broadcasts.  I'm assuming that you DO see your own
traffic, right?  

Some non-DOCSIS cable modems (like the crappy LanCity box I had) just pass
everything and actually do allow sniffing other people's traffic.  However,
many non-DOCSIS boxes can't adjust upstream power output, so they might not
be heard at the CMTS (headend) and wind up being just a listen only tap that
you pay for monthly..

/Dan Hawrylkiw

-----Original Message-----
From: Paul Asadoorian [mailto:paul.com () home com]
Sent: Thursday, July 05, 2001 5:53 PM
To: Snort-Users
Subject: [Snort-users] Only seeing arp traffic?


I have the following configuration:

Cable Modem
        /\
         |
         |
        \/
    HUB <-----> Snort IDS with No IP address (OpenBSD 2.7 Sparc 20, snort
1.7rel2)
        /\
         |
         |
        \/
   UGate-3200 Firewall
        /\
         |
         |
        \/
Rest of network

(All lines are catV ethernet, The one to the cable modem is plugged into the
xover port on the hub, every other host on the network is running a-okay).
Here is a sample of the traffic that I have been seeing:

# tcpdump -i hme0
tcpdump: WARNING: hme0: no IPv4 address assigned
tcpdump: listening on hme0
20:02:02.967846 arp who-has 24.7.7.127 tell 24.7.7.1
20:02:07.827799 arp who-has 24.7.7.127 tell 24.7.7.1
20:02:10.378441 arp who-has 24.7.7.127 tell 24.7.7.1
20:02:14.391034 arp who-has 24.7.7.127 tell 24.7.7.1
20:02:14.823077 arp who-has 65.11.234.220 tell 65.11.234.129
20:02:15.277576 10.67.142.1.bootps > 255.255.255.255.bootpc:  xid:0x39ac
flags:0x8000 Y:10.108.47.8 S:24.2.0.14 G:10.67.142.1 ether 0:20:40:b4:39:ac
[|bootp]
20:02:15.375589 10.67.142.1.bootps > 255.255.255.255.bootpc:  xid:0x39ac
flags:0x8000 Y:10.108.47.8 S:24.2.0.14 G:10.67.142.1 ether 0:20:40:b4:39:ac
file ""[|bootp]
20:02:16.549517 arp who-has 24.7.7.127 tell 24.7.7.1
20:02:17.746115 arp who-has 65.11.234.220 tell 65.11.234.129
20:02:23.864878 arp who-has 65.11.234.220 tell 65.11.234.129
20:02:33.062801 arp who-has 24.7.7.127 tell 24.7.7.1
20:02:36.455231 arp who-has 24.7.7.127 tell 24.7.7.1
20:02:40.404566 arp who-has 24.7.7.127 tell 24.7.7.1
20:02:41.068053 arp who-has 24.18.130.137 tell 24.18.130.1
20:02:43.233819 arp who-has 24.7.7.127 tell 24.7.7.1
20:02:44.042454 arp who-has 24.18.130.137 tell 24.18.130.1

I found the bootp traffic particularly interesting, but I would really like
to see more common IP trafffic (like TCP, UDP, ICMP maybe? :-)

Any help is greatly appreciated.  Thanks, in advance....

Paul



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: