Original question is listed below. I received so many responses, that I will not list them here. To summarize the question, I was asking how to turn an ethernet interface into a read-only interface with a guarantee that it would not transmit anything back out on the network. It was a pretty even split between cutting the transmit wires of the cable or simply bringing the ethernet interface up, but not configuring it with an IP address. One person suggested a switch, but that was what we were originally using, and it only permitted mirroring one port to one other port, with no way to do one to many port mirroring. Another person suggested a low end cisco, such as a Cisco 2900, but we would like to avoid spending that much money on a hardware solution. So, the only 2 real practical solutions were what I originally thought. With regards to cutting the transmit wires, some said it would definitely work, others said they weren't so sure about that. However, a couple links were provided that could help out with the proper wiring of a read- only ethernet cable: http://www.snort.org/docs/faq.html#3.1 http://www.pin-outs.com/datasheet_22.html The problem that was stated as far as it possibly not working is that the hub may not see a link light and thus disable the port. It all depends on the hub, really. In any the case, the snort link above is great in that it provides a wiring diagram on how to force the link to be detected and still have the transmit wires cut. I think this will be what we will try first, since it guarantees no traffic coming back to the hub from the sun. As far as the other solution goes, which is to configure the interface UP, but without an IP address, it seems pretty reasonable. However, I would still be concerned that the ethernet interface itself would respond to some broadcasts at the ethernet level. A couple people mentioned some products that did exactly this to get its networking traffic without transmitting anything, with one of the products being a Cisco product. Finally, a third solution was suggested that wasn't bad, but would require building extra stuff in all our different stat gathering packages. The general idea was that if you were worried about transmitting anything back on the wire, have all your stat packages filter those hosts out of the data before processing the data. This isn't a bad idea, but if the hosts change for any reason, we would have to change our software. This just doesn't seem to be the best idea, but not a bad one either. Finally, we will actually implement one or two of the above ideas before it is all said and done. I will post another summary after we determine what actually worked and didn't work for us. Thanks for all the suggestions! Scott --On Tuesday, September 25, 2001 11:48 AM -0400 Scott Adkins <adkinss@ohio.edu> wrote: > We have the need to do some passive network monitoring in our environment. > Particuarlly, we would like to listen promiscously on the ethernet > interface (hme1) in read-only mode with a guarantee that we will not be > transmitting anything back on the wire. > > This is more or less how we have our network monitoring environment sat > up: > > > +---------+ +----------+ > | Central |------------------| Internet | > | Router | | Router | > +---------+ +----------+ > | > | mirrored port +-----------+ > +--------------->| 100MB Hub |---Ultra 10 > (read-only) +-----------+ > | | > Ultra 10 Ultra 10 > > > When our network monitoring environment was simpler, we used a switch in > place of the hub. However, the switches we have can only do a one-to-one > mirroring, meaning that we could only hang a single sun machine off the > switch to listen to a particular feed. > > The hub deals with that problem, but since the ports off the hub aren't > read-only ports, any chatter coming back from the sun would get sent to > the other suns attached to the hub, which could cause collisions or other > weird networking anomolies... keep in mind that we are wanting to do > statistics on the data in the incoming stream, so we don't want data from > the other suns being added to it. > > Anyways, I don't see an obviuous way to put an ethernet interface into > read-only mode. I didn't see anything in ifconfig. I guess one possible > way to do it is to *not* assign an IP address to the ethernet interface > and try reading from it normally (promiscous mode). I believe this will > work, but I am not sure if this would produce a true read-only mode. > > Another possible way is to snip a couple wires in an ethernet cable (the > transmit wires) [ICK!] to prevent the suns from talking back to the hub, > but I am not sure if the hub requires to see something on those wires in > order to enable the port (link light?). That is an area I don't know much > about anyways... -- +-=-=-=-=-=-=-=-=-=+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+=-=-=-=-=-=-=-=-+ Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ UNIX Systems Engineer mailto:adkinss@ohio.edu ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 +-=-=-=-=-=-=-=-=-=+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+=-=-=-=-=-=-=-=-+ CNS, HDL Center, Suite 301, Ohio University, Athens, OH 45701-2979Received on Tue Sep 25 22:27:52 2001
This archive was generated by hypermail 2.1.8 : Wed Mar 23 2016 - 16:32:31 EDT