[Snort-users] Setting up a Windowz Interface to monitor with no IP Address

Slighter, Tim tslighter at ...5174...
Fri Jun 28 08:34:04 EDT 2002

depends upon the circumstances.  the assumption here might be that one
machine is hooked up into an isolated port mirror where there are no other
machines connected.  in addition, having the DHCP service disabled prevents
is from going out and attempting to obtain an IP address from anything.  Of
course, with Win2K, the easiest of all is to simply uncheck "Internet
Protocol TCP"

-----Original Message-----
From: Mike Shaw [mailto:mshaw at ...3165...]
Sent: Friday, June 28, 2002 9:26 AM
To: Slighter, Tim; 'Michael Steele'; 'Scot Scot'
Cc: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Setting up a Windowz Interface to monitor
with no IP Address

At 07:38 AM 6/28/2002 -0600, Slighter, Tim wrote:
>I did find that for those who are uncomfortable with poking away at the
>registry blindfolded, there is an easier way to setup a "stealth" interface
>on a windows system.  Just simply configure the interface for DHCP and it
>will never obtain an IP address but will still be in the "UP" state.

Hmmmm...that's a little scary.  All it takes is a rogue DHCP server to give 
it whatever ip address you want.

Try it on a lan segment sometime (assuming it's one you're responsible for 
and you know what you're doing), you'll be amazed at what devices suddently 
pop up on the network.  Switches, hubs, print servers, remote access 
devices....this used to be especially true where the standard protocol was 
IPX and TCP/IP was not even considered.

I wouldn't recommend this particular technique.


More information about the Snort-users mailing list