Ethernet splitters
Peter Van Epp
vanepp at sfu.ca
Thu Jul 29 19:58:52 EDT 1999
I don't think so yet. I haven't got the latest release in yet, but there
was a comment on the coralreef list that the fore firmware currently only
captures the first aal5 cell (i.e. only about 44 bytes of header) no matter
what you tell the API to do. More cells is a future enhancement. They also
intend to provide libpcap output which I figure I should be able to just
feed to argus with no argus changes. If I get some time I'll put in the new
release and do a capture and forward it in case I'm mistaken in how much is
really there.
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
>
> Hey Peter,
> So would it be useful to have argus read coralreef packet
> capture files? I've added snoop support for the 1.8 version,
> and the coralreef stuff looks pretty trivial. If this is
> interesting, send me a small packet capture file so I can
> test the code.
>
> Oh yeah, and Nortel has a lot of switches that do
> conversation steering in many flexible and convenient
> ways (had to get the corporate marketing in there ;o)
>
> Hope all is well,
>
> Carter
>
> Carter Bullard
> Principal Consultant
> Nortel Networks
> 320 Park Avenue 16th Floor
> New York, New York 10022
> Email cbullard at nortelnetworks.com
> Phone +1 212 317 4230
> Fax +1 212 317 4324
> Pager +1 800 217-7496
>
> -----Original Message-----
> From: Peter Van Epp [mailto:vanepp at sfu.ca]
> Sent: Thursday, July 29, 1999 7:11 PM
> To: nfr-users at nfr.net; argus at lists.andrew.cmu.edu
> Subject: Re: Ethernet splitters
>
>
> Yes this works if you have a switch on the outside of your network.
> The outside of my network is an OC3 ATM link with 80/20 optical splitters
> installed inline into a border router which in turn has a single 100BaseT
> interface to our internal ATM network. When coralreef gets a little further
> along (i.e. once it can capture more than the first AAL5 cell as now and
> libpcap support is there) my IDS will move out past the border router. The
> Ethernet splitter, which will go inline with my 100 baseT link out of the
> border router, will do the same job as the opticals on the OC3 i.e. isolate
> the IDS machine from the sniffed network and allow two NIC cards to sniff a
> full duplex network connection (I already have 2 ATM cards on the outside net
> running Coralreef to play with since the optical splitters do the same thing).
> The transmit leads being snipped protects the IDS from being attacked from the
> net. That is the interest in these particular boxes. Like the "stealth ethernet
> cable" available for NFR from Anzen, it isolates the IDS which is presumably
> out on the big bad Internet from attack from the outside. In my case, being a
> university, it is unclear which is more dangerous from an attack standpoint,
> the internet or my internal backbone (but in either case the splitter is a good
> idea). The second one is intended for our new sniffer which will hopefully be
> able to sniff full duplex (because the box splits the incoming signal in to
> two output ports with no transmit leads that will allow sniffing full duplex)
> whether there is a switch on a given port or not. I don't see how the current
> monitor port implementation on the switches could do this without a special
> purpose port for monitoring which perhaps the Cisco has but mine don't.
>
> Peter Van Epp / Operations and Technical Support
> Simon Fraser University, Burnaby, B.C. Canada
>
> >
> > If you use a Cisco switch and you wish to monitor the link that supplies all
> > the traffic (like to/from a router) just set up a spanning port to send
> > all tx/rv traffic from the router port to another port where your Argus host
> > resides. We usually use a separate interface for monitoring on the Argus
> > host, IP addr 0.0.0.0 to keep in stealth mode. Other switches may work,
> > but we're not familiar with them. We've been able to monitor at a sustained
> > load of 30 Mb/s for hours with this configuration and Argus 1.8.
> >
> > If you don't have a Cisco, use a 10 or 100baseT hub just in front the
> > router.
> > Since your only using two ports, i.e. router and switch, monitoring the
> > traffic
> > on a 3rd port does the trick without any degradation in traffic due to
> > collisions.
> >
> > ...cd
> >
>
More information about the argus
mailing list