Snort mailing list archives
RE: Only seeing arp traffic?
From: "Hawrylkiw, Dan G" <dan.g.hawrylkiw () intel com>
Date: Fri, 6 Jul 2001 08:25:23 -0700
Most cable modems act as dumb bridges, so you'll only see traffic destined for your IP(s) and broadcasts. I'm assuming that you DO see your own traffic, right? Some non-DOCSIS cable modems (like the crappy LanCity box I had) just pass everything and actually do allow sniffing other people's traffic. However, many non-DOCSIS boxes can't adjust upstream power output, so they might not be heard at the CMTS (headend) and wind up being just a listen only tap that you pay for monthly.. /Dan Hawrylkiw -----Original Message----- From: Paul Asadoorian [mailto:paul.com () home com] Sent: Thursday, July 05, 2001 5:53 PM To: Snort-Users Subject: [Snort-users] Only seeing arp traffic? I have the following configuration: Cable Modem /\ | | \/ HUB <-----> Snort IDS with No IP address (OpenBSD 2.7 Sparc 20, snort 1.7rel2) /\ | | \/ UGate-3200 Firewall /\ | | \/ Rest of network (All lines are catV ethernet, The one to the cable modem is plugged into the xover port on the hub, every other host on the network is running a-okay). Here is a sample of the traffic that I have been seeing: # tcpdump -i hme0 tcpdump: WARNING: hme0: no IPv4 address assigned tcpdump: listening on hme0 20:02:02.967846 arp who-has 24.7.7.127 tell 24.7.7.1 20:02:07.827799 arp who-has 24.7.7.127 tell 24.7.7.1 20:02:10.378441 arp who-has 24.7.7.127 tell 24.7.7.1 20:02:14.391034 arp who-has 24.7.7.127 tell 24.7.7.1 20:02:14.823077 arp who-has 65.11.234.220 tell 65.11.234.129 20:02:15.277576 10.67.142.1.bootps > 255.255.255.255.bootpc: xid:0x39ac flags:0x8000 Y:10.108.47.8 S:24.2.0.14 G:10.67.142.1 ether 0:20:40:b4:39:ac [|bootp] 20:02:15.375589 10.67.142.1.bootps > 255.255.255.255.bootpc: xid:0x39ac flags:0x8000 Y:10.108.47.8 S:24.2.0.14 G:10.67.142.1 ether 0:20:40:b4:39:ac file ""[|bootp] 20:02:16.549517 arp who-has 24.7.7.127 tell 24.7.7.1 20:02:17.746115 arp who-has 65.11.234.220 tell 65.11.234.129 20:02:23.864878 arp who-has 65.11.234.220 tell 65.11.234.129 20:02:33.062801 arp who-has 24.7.7.127 tell 24.7.7.1 20:02:36.455231 arp who-has 24.7.7.127 tell 24.7.7.1 20:02:40.404566 arp who-has 24.7.7.127 tell 24.7.7.1 20:02:41.068053 arp who-has 24.18.130.137 tell 24.18.130.1 20:02:43.233819 arp who-has 24.7.7.127 tell 24.7.7.1 20:02:44.042454 arp who-has 24.18.130.137 tell 24.18.130.1 I found the bootp traffic particularly interesting, but I would really like to see more common IP trafffic (like TCP, UDP, ICMP maybe? :-) Any help is greatly appreciated. Thanks, in advance.... Paul _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Only seeing arp traffic? Paul Asadoorian (Jul 05)
- Re: Only seeing arp traffic? Thorin (Jul 05)
- <Possible follow-ups>
- RE: Only seeing arp traffic? Hawrylkiw, Dan G (Jul 06)