[Snort-users] Creating a 'read-only' 100/10BaseT ethernet cable

jess at ...521... jess at ...521...
Thu Jan 4 12:16:52 EST 2001


	Hi!

	Have you checked Robert Graham's sniffing FAQ?
	
	http://www.robertgraham.com/pubs/sniffing-faq.html

	If not, take a look at section 3.6: How can I create a
receive-only Ethernet adapter?

	I've not tried it myself, but it looks like he has...

	Cheers,

								JESS

On Thu, 4 Jan 2001, Ed Padin wrote:

> Hi,
> 
> I've been trying to create a patch cable for a snort box that is a
> 'read-only cable. I remember people on this list mentioning something about
> this but could nto turn up anything on the archives. I know that you can run
> snort on an interface that has no IP address but I'd also like to provide
> physical security to guard against a configuration error.
> 
> I think I remember that you need to complete only one of the pairs in order
> to read packets but the other pair to write packets is not used. Here's what
> I tried so far:
> 
> Create a cable where only pair 1&2 are used
> 
> Create a cable where only pair 3&6 are used
> 
> Create a cable where only pair 1&2 are used and 3&6 looped back to the hub
> 
> Create a cable where only pair 3&6 are used and 1&2 looped back to the hub
> 
> 
> I'm trying this on a hub that does 100Mbit ethernet and supports full
> duplex. The card I am using usually negotiates a full duplex connection. I
> have tried rebooting the box with each config mentioned above.
> 
> Has anybody got this working? If so, could you describe your configuration?
> 
> aTdHvAaNnKcSe
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/mailman/listinfo/snort-users
> 





More information about the Snort-users mailing list