Re: mirroring cable model traffic

Why not just pick up a Cisco 2950 and use port mirroring to accomplish this goal? Seams to me that it would be a bit simpler and more stable than an ancient hub or some handmade tap device.

David

On Apr 12, 2008, at 1:25 PM, Burton Strauss wrote:

As Dan says - you need a true hub, which are NOT easy to find. The last one
I know worked was a Linksys, but only the one in the grey package - the
spiffy blue & black one was a switching hub.

Or, you can make a 10/100 Tap (you can make one yourself from parts
available @ Radio Shack, the hardware store et al - instructions are at
snort dot org. The trick there is that you need TWO interfaces as one port
of the tap is the tx (transmit) traffic and the other is the rx (receive).


-----Burton



-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx ] On
Behalf Of Dan Lynch
Sent: Friday, April 11, 2008 12:09 PM
To: Chas Meyer; security-basics@xxxxxxxxxxxxxxxxx
Subject: RE: mirroring cable model traffic

I've seen this with modern hubs. Try using a much older model hub.

- Dan

Dan Lynch, CISSP
Information Technology Analyst
County of Placer
Auburn, CA

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Chas Meyer
Sent: Sunday, April 06, 2008 11:35 PM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: mirroring cable model traffic

Just a quick question - I've decided to run snort on all the
traffic running in and out of my house. Since my home switch
is unmanaged (I can't set up a mirror port), I've done it
ghetto style. I set up a hub in between my cable modem and
my router/switch and plugged the interface on my server that
I would like to use for sniffing into that hub. However,
when I test this rig with tcpdump (using command: sudo
tcpdump -vvv -i eth0), all I am getting is arp requests on my
ISP's network, even with internet use from my local network.
Shouldn't I also be seeing all the traffic that is
originating and terminating at my router/switch? Any help
would be great. Thanks.




Relevant Pages

  • Thinkpad X20 docking troubles - irq routing, USB strangeness
    ... Another problem is that PCI devices do not go away after undock - they ... hub 1-1:1.0: unable to enumerate USB device on port 1 ... Hub Port Status: ...
    (Linux-Kernel)
  • ALSA via82xx fails since 2.6.2
    ... PCI: PCI BIOS revision 2.10 entry at 0xfd7cd, ... ACPI: IRQ9 SCI: Level Trigger. ... drivers/usb/core/usb.c: registered new driver hub ... No KCS @ port 0x0ca2 ...
    (Linux-Kernel)
  • RE: Use of Taps for IDS
    ... port) but there are limitations with regards to the way you VLAN out the ... As for the hub, unless you use an IDA that truly is read only (whether ... So basically, if this tap is for an IDS system, bandwidth-wise you don't ... If you ever expect to need to load balance IDS system, ...
    (Focus-IDS)
  • Re: 2.6.5-rc2-mm4 (and 3) IRQ problem
    ... ACPI: Power Resource ... ata2: SATA port disabled. ... ehci_hcd 0000:00:1d.7: new USB bus registered, ... ehci_hcd 0000:00:1d.7: root hub device address 1 ...
    (Linux-Kernel)
  • yenta irq disabled on IBM X20 with dock
    ... The disable the IRQ and also kill a USB port. ... 00:04.0 PCI bridge: Texas Instruments PCI2032 PCI Docking Bridge ... usbcore: registered new driver hub ... hub 1-1:1.0: Cannot enable port 1. ...
    (Linux-Kernel)