Snort - the de facto standard for intrusion detection/prevention
the de facto standard in IPS  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Snort Downloads Snort Rules Snort Docs Snort Training Snort Forums Snort Community Snort Store
Search Site
Search Rules
Account
email
password
not registered?
can't login?
user preferences
next up previous
Next: 3.3 What are HOME_NET Up: 3 Configuring Snort Previous: 3.1 How do I

3.2 How do I setup a receive-only ethernet cable?

Use an ethernet tap, or build your own 'receive-only' ethernet cable. Anyway, here is the cable I use: 

 LAN         Sniffer 
 1 -----\   /-- 1
 2 ---\ |   \-- 2
 3 ---+-*------ 3
 4 -  |       - 4
 5 -  |       - 5
 6 ---*-------- 6
 7 -          - 7
 8 -          - 8

Basically, 1 and 2 on the sniffer side are connected, 3 and 6 straight through to the LAN. 1 and 2 on the LAN side connect to 3 and 6 respectively. This fakes a link on both ends but only allows traffic from the LAN to the sniffer. It also causes the 'incoming' traffic to be sent back to the LAN, so this cable only works well on a hub. You can use it on a switch but you will get ...err... interesting results. Since the switch receives the packets back in on the port it sent them out, the MAC table gets confused and after a short while devices start to drop off the switch. Works like a charm on a hub though.

Another method which uses a capacitor and should work on 100mbs links:

http://www.geocities.com/samngms/sniffing_cable

And another:

The UTP Y-Cable specified by Joe Lyman:

A less noisy option: it involves a couple of cat 5 cables and a single speed hub. The idea is to use the rcv cables for the wire going to the sniffer box and use the xmit cables from another hub port. This will give you a link light and allow your sniffer to rcv only. Cannot xmit because the xmit cables are not connected. This has been successfully used on netgear single speed hubs. It wont work on dual speed hubs due to the negotiation of speed.

Pin outs. They are reversed in the picture in order to prevent lines from crossing, and I only included the pins used. 

  * []HUB PORT 1             HUB PORT 2

       -----             -----

       x x r r                r r x x

       6 3 2 1                1 2 3 6

       | | | |                    | |

       | | | ----------- |

       | | -------------

       | |

       | |

       | |

       | |

       6 3 2 1

       r r x x

       ----

       SNIFFER

        x = xmit

        r = rcv
You could make it a single cable by adding a battery to simulate the voltage from the xmit cables on the nic, but batteries die.

It's not recommended to cut the transmit side, shunt it to ground (pin 2). Some OS's will disable the interface if PIN 1 does not indicate a completed circuit.

next up previous
Next: 3.3 What are HOME_NET Up: 3 Configuring Snort Previous: 3.1 How do I
Nigel Houghton 2006-10-02
site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.