ok i have a hub which i currently use for my sniffing, but id prefer to keep everything on the 100mbit switch/router. so im wondering can i put a hub on the WAN side between the router and the cablemodem and just give eth1 a non routable ip and sniff that way or does the NAT mess with the packets too much.(i do my inet and network stuff via eth0 on the 100mbit swtich)

It seems without having an idea of what your setup is (ie where your linux box is, where your EQ box is and where your current hub placement is, etc) it would be hard for anyone to give you an answer the way you stated that....

I got the "...between the router and the cablemodem.." part but are you talking about putting your linux box on the hub with non-routable IP? Doing it this way would work:

cablemodem
|
switch/router-----rest of network
|
hub----Linux
|--------EQ Box

Dunno if that helps or not....

I think he was trying to say this:

cablemodem
|
|
hub ----- SEQ box with non-routable IP
|
|
router / switch
|
|
EQ box and other PCs on network



I can't think of a reason that this wouldn't work but you will have to tell your SEQ box to sniff the outside IP address (the one that your internal stuff is being NAT'd to) on your router/switch.

Good luck.

Monster

guess i did forget my layout

Cablemodem---------NAT router/100mbit switch-------PCs
|
hub-------showeq box & EQ box

but i did kinda forget about the IP change throught the wan port, was figuring if i just put into the command line for it to read my public IP then i could view any sessions from inside the network.

Based on that drawing, it would require you to pay for more IPs from your cable provider. What you want is:



<Cable Modem> - <Hub> - <Router> - PCs (including EQ machines and SEQ eth0)
|
<Showeq Interface eth1>


you do not need any IP address on eth1 to bring it active and sniff with it (not even a non-routable address). You just have to force it awake with the ifconfig command:

ifconfig eth1 up

Just seems like that is much more complicated than the EQ and SEQ boxes sharing the HUB inside the router... Not really sure what the benefit or gain would be to go that route unless you want to be able to sniff traffic for all the machines on the router. I guess my question would be, can SEQ differentiate that traffic from outside the router when it is trying to look at packets going by for an internal network ip range? Wouldn't you need to have the box that is running EQ inside the router use the actually assigned IP address while the other machines still used the NAT? I mean in particular if you were trying to sniff more than one EQ box.

Two words:

Session Tracking

It will work just fine. You may have issues if there's alot of other traffic on your network going out to the internet. It will work none the less.

success, =D