[SLUG] Re: Transparent data sniffer

[Declan Ingram]

what about a little 4 port hub and you can either cut the TX pair or dont 
assign an IP to the interface as below: 

      }                                 +-------------+
      }  +--------+                     |             |-------
I'net }--| router |-------|hub|---------| switch/hub  |------- subnet
      }  +--------+         |           |             |-------
      }                 +-------+       +-------------+
                  A     |sniffer|                       B
                        +-------+ 

or you could plug it in to devivce 'b' if it is a hub. it is is a switch, 
you can still put the sniffer in device B, just set it as the defalt route 
for the subnet and forward from it to the router. This can be done ligit or 
via arp poisoning (people think switches protect them from sniffing... not 
so!) this is what I would recomend. 

      }                                 +-------------+
      }  +--------+                     |             |--|sniffer|
I'net }--| router |---------------------| switch/hub  |------- subnet
      }  +--------+                     |             |-------
      }                                 +-------------+
                  A                                   B 

After:
if you set it up as below you will have to setup forwarding etc.. = 
unecessary pain. 

/dec 

Howard Lowndes writes: 

I need to configure a Linux box as a transparent data sniffer between an 
Internet connection router and the subnet hub/switch to which it is 
connected (see ASCII art below) 

Before: 

      }                                 +-------------+
      }  +--------+                     |             |-------
I'net }--| router |---------------------| switch/hub  |------- subnet
      }  +--------+                     |             |-------
      }                                 +-------------+
                  A                                   B 

After: 

      }                                 +-------------+
      }  +--------+     +---------+     |             |-------
I'net }--| router |-----| sniffer |-----| switch/hub  |------- subnet
      }  +--------+     +----|----+     |             |-------
      }                      |          +-------------+
                  A     C    |    D                   B
                             E 

The requirement is that interface A must continue to think that is is 
still talking to the same addresses at B and the interfaces at B must 
continue to think they are talking to the address at A.  IOW, interface D 
must mimic interface A and interface C must mimic interfaces B.  
Connection to the sniffer will be at interface E. 

This to enable a transparent man-in-the-middle data sniff.  It's OK, it is
for a legitimate purpose :) 

Does anyone have any pointers to this config.  I believe it was discussed 
on SLUG a few years back, but I can't think where to start looking. 

--
Howard.
LANNet Computing Associates - Your Linux people <http://www.lannetlinux.com>
------------------------------------------
Flatter government, not fatter government - Get rid of the Australian states.
------------------------------------------
I before E except after C. We live in a weird society! 

--
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug


--
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug