[Snort-users] Re: Wiring a "read only" cable

Joe Pampel joe at ...3851...
Fri Nov 30 03:33:05 EST 2001

reply in-line

>>Message: 11
Date: Thu, 29 Nov 2001 18:30:32 -0500
To: snort-users at lists.sourceforge.net 
From: Matt Kettler <mkettler at ...4108...>
Subject: [Snort-users] Re: Wiring a "read only" cable

>>I think the 14 pin connector you are looking at is AUI, not a 100baseT 
ethernet PHY connection. Perhaps you can point out where this diagram is on 

it's here: http://www.silicondefense.com/techsupport/ro-ethernet.htm

What you say makes perfect sense.. it's been so long since I used one of those I
kinda forgot all about them. :-)  I knew the diagram would not be up on the SD site
unless it made some sort of sense, I was just sitting here staring at my 4 pairs going "huh?"

>>Also with 100baseT it is impossible to create a read only cable by just 
cutting one or more pins of a twisted pair cable. The PHY layer sends short 
bursts of test signal that are expected to be echoed back in order to 
establish link.

So if you try to use regular 100base-T cable with a pair gone, you won't see link and the
IF will remain down if I follow you here. 

>>Your best bet is to use an AUI adapter and cut pins on the AUI side. Of 
course, this implies having a 100mbit ethernet card with AUI input (uncommon).<<

seriously.. I'm not sure I have any here. So you need an AUI adapter, alter the wiring and then get a
converter to RJ45 to go to the hub/switch... Anyone have a favorite NIC for this? 

>>Baring that you can create a "denatured" ethernet cable where the TX+ and 
TX- signals are not on the same twisted pair. This ruins the controlled 
impedance of the pair, and introduces bit errors into the data. If the 
denatured cable is the right length the short test bursts with make it 
through fine but data packets will have errors in them and be dropped. This 
process is not an exact science, but there is a website somewhere detailing 
what can be detailed. I do not have the URL offhand.<<

I dug a little deeper and found some stuff in the Snort FAQ (my bad...)
Section 3.1 has a bit about ethernet cabling. The setup is described as working
well on a hub but not so on a switch.. :-(  Me being 100% switched of course.. 
Maybe I can hang a cheap hub off the switch port I mirror to.. maybe that's the ticket.

Thanks for the responses!

More information about the Snort-users mailing list