On Sun, 17 Aug 2003, Howard Lowndes wrote: > > > The requirement is that interface A must continue to think that is is > > > still talking to the same addresses at B and the interfaces at B must > > > continue to think they are talking to the address at A. IOW, interface D > > > must mimic interface A and interface C must mimic interfaces B. > > > Connection to the sniffer will be at interface E. > > > > > > This to enable a transparent man-in-the-middle data sniff. It's OK, it is > > > for a legitimate purpose :) > > > > > Seriously, why not make a cable with the TX pair disconnected and plug a > > single interface into the existing link and sniff it directly, or, if it > > is a HUB, simply plug into the hub? > > > > I understand your problem if you have a switch there, but the first > > suggestion covers that. > > But then it will have to have an IP address from the subnet, which will > mean that it is not transparent.
No, not at all. The BPF device can be put in promiscuous (sp?) mode, and will catch any data, regardless. tcpdump is your friend. I know *FOR AN ABSOLUTE FACT* (because I do it all day, every day) that I can put in an interface in Promisc mode and sniff all data, regardless of source and destination addresses (and often BOTH are different to the network address of the card used to sniff), and I can see *everything*. RossW -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
