[Snort-users] RE: Read-Only Ethernet cable

Frank Knobbe FKnobbe at ...649...
Tue Jun 19 21:00:40 EDT 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> -----Original Message-----
> From: Thomas Nilsen [mailto:Thomas.Nilsen at ...2277...]
> Sent: Tuesday, June 19, 2001 9:35 AM
> 
> Back in January you posted a diagram for a read-only Ethernet cable
> (http://archives.neohapsis.com/archives/snort/2001-01/0055.htm
> l) that could
> be use with Snort to secure a sniffing NIC. The diagram 
> looked like this:
> 
> LAN Sniffer 
> 1 -----\ /-- 1 
> 2 ---\ | \-- 2 
> 3 ---+-*------- 3 
> 4 - | - 4 
> 5 - | - 5 
> 6 ---*-------- 6 
> 7 - - 7 
> 8 - - 8 

Thomas, 

actually it looks like this:

LAN       Sniffer
1 -----\    /-- 1
2 ---\ |    \-- 2
3 ---+-*------- 3
4 -  |        - 4
5 -  |        - 5
6 ---*--------- 6
7 -           - 7
8 -           - 8

If there is a problem with spaces, the diagram below uses dots
instead of spaces.

LAN.......Sniffer
1.-----\..../--.1
2.---\.|....\--.2
3.---+-*-------.3
4.-..|........-.4
5.-..|........-.5
6.---*---------.6
7.-...........-.7
8.-...........-.8

 
> From the description to the diagram, you say you connect 1 & 
> 2 to 3 & 6 and
> vice versa on the other side 

Nope. 3 & 6 go from one side to 3 & 6 on the other. Then
_on_one_side_only_ you connect 1 to 3 and 2 to 6. This will be the
LAN side. On the sniffer side you connect 1 directly to 2.

Again, make sure you connect the LAN side into a hub, not a switch.

Hope this helps.
Regards,
Frank



PS: Is anyone else using this successfully? Am I the only one? :)  It
would be great to get some feedback from folks using it (offline
please, not to the list)


- --->8---

Basically, 1 and 2 on the sniffer side are connected, 3 and 6
straight through to the LAN. 1 and 2 on the LAN side connect to 3 and
6 respectively. This fakes a link on both ends but only allows
traffic from the LAN to the sniffer. It also causes the 'incoming'
traffic to be sent back to the LAN, so this cable only works well on
a hub. You can use it on a switch but you will get ...err...
interesting results. Since the switch receives the packets back in on
the port it sent them out, the MAC table gets confused and after a
short while devices start to drop off the switch. Works like a charm
on a hub though. 

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8
Comment: PGP or S/MIME encrypted email preferred.

iQA/AwUBOy/1uJytSsEygtEFEQLMqwCg+HsvezDiTCbcSqZ84zhcmo42s9YAoJT6
tDH+nhQo5vq3G4wTxzgG8iES
=moNH
-----END PGP SIGNATURE-----




More information about the Snort-users mailing list