[Snort-users] Testing read-only cable

Neptune neptune at ...13131...
Sat Mar 5 12:14:40 EST 2005


I have a Debian Linux box running the 2.6.8.1 kernel and snort 2.2.0-9.  It 
has two NIC's, eth0 for admin and eth1 for sniffing.  I have a built a 
read-only cable and wanted to test that cable versus a standard one to make 
absolutely sure that it's working.  

I've read about promiscuous interfaces being exposed by sending them ARP 
packets.  I've spent hours looking for how to do this, and just can't come up 
with it!  I've tried using 'arping', thinking that would expose something, 
but I'm not getting anywhere.  I've seen references to AntiSniff, but can't 
even find that anymore.

Is this still even a concern with modern Linux kernels?  For instance, I did 
read that the 'neped' program was only able to pick up ARP strangeness in the 
2.0-series kernels.

Thank you in advance for any information you might be able to give.




More information about the Snort-users mailing list