[Snort-users] RE: Read-Only Ethernet cable

Thomas Nilsen Thomas.Nilsen at ...2277...
Thu Jun 21 07:45:05 EDT 2001


Thanks Frank!

This worked like a charm once I plugged it into a pure 10 MB hub. It failed
to work on a autosense 10/100 hub, but I guess that could be overcome by
setting the port speed manually.

Regards, Thomas


-----Original Message-----
From: Frank Knobbe [mailto:FKnobbe at ...649...]
Sent: 20. juni 2001 02:01
To: Thomas Nilsen
Cc: 'Snort-users at lists.sourceforge.net'
Subject: [Snort-users] RE: Read-Only Ethernet cable


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> -----Original Message-----
> From: Thomas Nilsen [mailto:Thomas.Nilsen at ...2277...]
> Sent: Tuesday, June 19, 2001 9:35 AM
> 
> Back in January you posted a diagram for a read-only Ethernet cable
> (http://archives.neohapsis.com/archives/snort/2001-01/0055.htm
> l) that could
> be use with Snort to secure a sniffing NIC. The diagram 
> looked like this:
> 
> LAN Sniffer 
> 1 -----\ /-- 1 
> 2 ---\ | \-- 2 
> 3 ---+-*------- 3 
> 4 - | - 4 
> 5 - | - 5 
> 6 ---*-------- 6 
> 7 - - 7 
> 8 - - 8 

Thomas, 

actually it looks like this:

LAN       Sniffer
1 -----\    /-- 1
2 ---\ |    \-- 2
3 ---+-*------- 3
4 -  |        - 4
5 -  |        - 5
6 ---*--------- 6
7 -           - 7
8 -           - 8

If there is a problem with spaces, the diagram below uses dots
instead of spaces.

LAN.......Sniffer
1.-----\..../--.1
2.---\.|....\--.2
3.---+-*-------.3
4.-..|........-.4
5.-..|........-.5
6.---*---------.6
7.-...........-.7
8.-...........-.8

 
> From the description to the diagram, you say you connect 1 & 
> 2 to 3 & 6 and
> vice versa on the other side 

Nope. 3 & 6 go from one side to 3 & 6 on the other. Then
_on_one_side_only_ you connect 1 to 3 and 2 to 6. This will be the
LAN side. On the sniffer side you connect 1 directly to 2.

Again, make sure you connect the LAN side into a hub, not a switch.

Hope this helps.
Regards,
Frank



PS: Is anyone else using this successfully? Am I the only one? :)  It
would be great to get some feedback from folks using it (offline
please, not to the list)


- --->8---

Basically, 1 and 2 on the sniffer side are connected, 3 and 6
straight through to the LAN. 1 and 2 on the LAN side connect to 3 and
6 respectively. This fakes a link on both ends but only allows
traffic from the LAN to the sniffer. It also causes the 'incoming'
traffic to be sent back to the LAN, so this cable only works well on
a hub. You can use it on a switch but you will get ...err...
interesting results. Since the switch receives the packets back in on
the port it sent them out, the MAC table gets confused and after a
short while devices start to drop off the switch. Works like a charm
on a hub though. 

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8
Comment: PGP or S/MIME encrypted email preferred.

iQA/AwUBOy/1uJytSsEygtEFEQLMqwCg+HsvezDiTCbcSqZ84zhcmo42s9YAoJT6
tDH+nhQo5vq3G4wTxzgG8iES
=moNH
-----END PGP SIGNATURE-----

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list