mkettler at ...4108...
Mon Nov 15 12:13:04 EST 2004
At 01:21 PM 11/15/2004, Elmar Bschorer wrote:
>i tried to sniffer all traffic in a network-segment with my sensor.
>therefore i connected the sensor to the uplink port of my netgear fs105.
>i tried the following:
>$ ifconfig eth0 promisc
>when i run "tcpdump -i eth0" on the sensor now, i get no output.
>someone any experiences with this type of switch - or am i doing
You don't need an uplink port. You need a true managed switch with span
An uplink port is really intended for when you want to cascade two switches
into each other. Think of it as a port with a built in equivalnet of a
"null modem" adapter so you can connect it to a normal switch port. This
has nothing to do with what traffic goes to the port, it's just got the TX
and RX pairs reversed.
If you've got an inexpensive unmanaged switch, you're mostly out-of-luck
for good sniffing option without replacing the switch. In general the
options for network taping are:
1) use macof to flood the switch. Free, but degrades switch
performance severely and isn't 100% reliable
2) replace the switch with a 10mbps passive hub. Inexpensive, but
3) build or buy a passive tap. Cheap if you build your own, but
requires 2 nics on your box and you need to bond interfaces using your OS.
4) buy a managed switch. Easy, reliable, but can be pricey (a few
hundred dollars at least)
More information about the Snort-users