[Snort-users] Receive only success/questions

w sibertron at ...3058...
Thu Sep 6 19:19:02 EDT 2001


Hi,

I built receive only cables based on the following methods:

Method 1:
  http://personal.ie.cuhk.edu.hk/~msng0/sniffing_cable/index.htm

Method 2:
LAN.......Sniffer
1.-----\..../--.1
2.---\.|....\--.2
3.---+-*-------.3
4.-..|........-.4
5.-..|........-.5
6.---*---------.6
7.-...........-.7
8.-...........-.8

(Found in FAQ, as well as on the list).

Hardware:
3Com TP4 10 MB HUB
2 Tooless IDC Keystone Jacks (Frys sucks)
1 150pF capacitor (Frys still sucks)
3 Cat 5 cables

Result:
I had success with both methods.  Method 1, of course, is simpler
to build.  I did notice that a "few" packets managed to sneak by
although the error rate was well over 85%.
For the absolutist, Method 2 is probably the way to go.  I tested
both methods (to a limited extent) with snort, iptraf and ethereal.

Question:

For Method 2, the 3Com hub I used, placed the connected port in
a partitioned/isolated state.  This did not seem to effect the
ports ability to receive data.  I'm wondering if anyone knows
whether this will pose any potential problems (ie, spontaneous
disconnects for any other devices connected to the same hub...uhhh,
if that makes any sense... :-).

Thanks,

W

-- 
    w at ...3058...





More information about the Snort-users mailing list