Dustin Puryear <[EMAIL PROTECTED]> writes:
>>Look at the source and destination addresses. The shared-media aspect of >>cable means you pretty much see all your neighbors' traffic, including >>arp broadcasts. If it's much higher than normal, and you're seeing an > > I don't think this is totally accurate. From what I've seen only > broadcast traffic can be seen by others. Unicast traffic can't be so > easily sniffed. I know in the past that what you just said was > accurate, but not any more. Scott? You're right, dustin. To sniff unicast traffic, you need to poison the ARP cache like you might on an ethernet switch. the dsniff suite of tools can do this (Don't DO it on your cable modem unless you actually work for Cox/Charter/whatever. Do try it on a switched ethernet LAN that you own as it is educational.) It's easiest to think of DOCSIS cable connections as being similar to being plugged into an ethernet switch. > Maybe it's a DHCP problem. :) maybe. I haven't turned snort on my obsd box in New Orleans to see if we're getting the same thing. There's so much ARP traffic on my segment that my activity light is mostly solid these days anyway. -- Scott Harney<[EMAIL PROTECTED]> "...and one script to rule them all." gpg key fingerprint=7125 0BD3 8EC4 08D7 321D CEE9 F024 7DA6 0BC7 94E5
