[Snort-users] Dual ethernet cards under Linux - could be of use to others

Gregor Binder gbinder at ...462...
Fri Nov 3 07:48:18 EST 2000


Jason Haar on Fri, Nov 03, 2000 at 04:07:00PM +1300:

Hi,

[...]

> I'm running arpwatch as well as it's show my MAC address "flip-flopping" -
> one moment it's the MAC address of eth0, the next it's eth1...

If you want to be certain that your NIC doesn't transmit ANYTHING, you
might want to experiment with making your network connection
"read-only".

I have attached two messages from the shadow and pen-test mailing
lists that make suggestions on how this can be done.

Greetings,
  Gregor.

-- 
Gregor Binder  <gbinder at ...462...>  http://www.sysfive.com/~gbinder/
sysfive.com GmbH             UNIX. Networking. Security. Applications.
Gaertnerstrasse 125b, 20253 Hamburg, Germany       TEL +49-40-63647482
-------------- next part --------------
Date: Mon, 11 Sep 2000 20:58:48 -0700
From: Rob McMillen <rvmcmil at ...741...>
Subject: Re: New Guy to Shadow
To: Raymond Toney <toneyr at ...742...>, shadow at ...743...

The figure didn't come out too clear.  Here is the pin out I used.

HUB Port 1                HUB Port 2                    NIC

         6  <------------------------->  6
         3  <------------------------->  3
         2  <--------->  6
         1  <--------->  3

Let me know if this helps.

Another method I used was to simply tap into the receive pair of an existing
connection, but I would not be able to receive what the tapped host was
transmitting.  If anyone else comes up with a better setup or can figure out why
this doesn't work with every hub, please let me know.

Rob

Rob McMillen wrote:

> Raymond,
>     I have a one way cable, but it doesn't seem to work on every type of hub.
> I'll tell you what I've done.  I am using two ports on a hub.  From the
> perspective of the hub, I take the transmit pair (receive pair on the nic) from
> one hub port and feed it to my nic.  I take the transmit pair on the other hub
> port and feed it to the receive pair on the first hub port (this causes one of
> the hub port lights to turn on, hence causing the illusion of an actual
> connection).
>
> This is a cable representation of what I did.  This is the pin out on the
> cable  (ETHERNET).
>
> HUB Port 1                HUB Port 2
> __________                __________
>
> 6  3  2  1                       1  2  3  6
> |   |   |   |                                |   |
> |   |   |    --------------   |
> |   |   |                                        |
> |   |   ------------------
> |   |
> |   |
> |   |
> 6  3
> ----
> NIC
>
> Let me know if this helps
>
> Rob
-------------- next part --------------
Date:         Fri, 20 Oct 2000 13:42:15 -0500
From: Frank Knobbe <FKnobbe at ...744...>
Subject:      Re: [PEN-TEST] Datacenter Wiring
To: PEN-TEST at ...220...

I've been using a 'special' (well, self crimped) cable that snoops,
but does not leak. I've come across one network where it didn't work
(probably hub/switch type issue), but worked every else (I haven't
tested that many sites, though). Here is my pinout:

LAN       Sniffer
1 -----\    /-- 1
2 ---\ |    \-- 2
3 ---+-*------- 3
4 -  |        - 4
5 -  |        - 5
6 ---*--------  6
7 -           - 7
8 -           - 8

Basically, 1 and 2 on the sniffer side are connected, 3 and 6
straight through to the LAN. 1 and 2 on the LAN side connect to 3 and
6 respectively. This fakes a link on both ends but only allows
traffic from the LAN to the sniffer. My NIC is a 3Com 10/100 PCCard,
your mileage may vary.

There might be a problem with feedback on certain hubs/switches, but
most should recognize their own MAC address and discard the packets.

Regards,
Frank



More information about the Snort-users mailing list