[Snort-users] Creating a 'read-only' 100/10BaseT ethernet cab le

Frank Knobbe FKnobbe at ...649...
Fri Jan 5 00:31:29 EST 2001

Hash: SHA1

> -----Original Message-----
> From: Ed Padin [mailto:ohdamnthathurts at ...131...]
> Sent: Thursday, January 04, 2001 10:22 AM
> I've been trying to create a patch cable for a snort box that is a
> 'read-only cable. I remember people on this list mentioning 
> something about
> this but could nto turn up anything on the archives. I know 
> that you can run
> snort on an interface that has no IP address but I'd also 
> like to provide
> physical security to guard against a configuration error.

Was probably a different list :)

Anyway, here is the cable I use:

LAN       Sniffer
1 -----\    /-- 1
2 ---\ |    \-- 2
3 ---+-*------- 3
4 -  |        - 4
5 -  |        - 5
6 ---*--------  6
7 -           - 7
8 -           - 8

Basically, 1 and 2 on the sniffer side are connected, 3 and 6
straight through to the LAN. 1 and 2 on the LAN side connect to 3 and
6 respectively. This fakes a link on both ends but only allows
traffic from the LAN to the sniffer. It also causes the 'incoming'
traffic to be sent back to the LAN, so this cable only works well on
a hub. You can use it on a switch but you will get ...err...
interesting results. Since the switch receives the packets back in on
the port it sent them out, the MAC table gets confused and after a
short while devices start to drop off the switch. Works like a charm
on a hub though.


Version: PGP Personal Privacy 6.5.8
Comment: PGP or S/MIME encrypted email preferred.


More information about the Snort-users mailing list