On Sat, Jan 03, 2004 at 03:27:33PM -0500, Scott Renna wrote: > I am using Snort and a few other tools to decide which I'd like best. > Here's the thing about Lowell's comment on Bridging. Is this necessary > in this case? I don't want the interface without an IP to EVER transmit > outbound. If I Need to enable bridging I'll do so. The other thing is, > is it possible to configure each card to be on a different subnet(like > xl1 on 10.X.X.X and xl0 on 192.X.X.X)?
Sounds like you want to put the interface into 'monitor' mode -- see ifconfig(8). If all you want to do on this box is sniff traffic on your network, that should be sufficient, although you will have to configure your switches to pump out a copy of each packet they deal with to the port your box is connected to. It takes quite a sophisticated switch to actually have that capability. I'm not sure if you even need to specify an address for the card when used in this way: I think it should just pick up any traffic it sees. There's no problem with having multiple interfaces on sniffing on multiple networks, or even having the traffic from several networks all directed to the same interface for sniffing. An alternative way of doing this, which is what I presume Lowell was on about, is to make the sniffing box a bridge between two network segments. In this case, you can't use the ifconfig monitor stuff as the machine will have to forward packets between it's interfaces, and the machine will have to have one IP number on that network, so it can't be invisible. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK
pgp00000.pgp
Description: PGP signature