[Snort-devel] Running pthread enabled snort?

Chris Green cmg at ...81...
Fri Nov 23 04:11:02 EST 2001


Dirk Geschke <Dirk_Geschke at ...802...> writes:

> Yes, it is hardware. The minimal tap is like a mini hub with an uplink 
> to dedicated ports. So you can only read but not write via this link.
> It sounds like the best solution for stealth sniffing. But it is not
> cheap...

They are ~$300 IIRC.  
>
>   http://www.finisar-systems.com/htdocssh/products/taps/index.html
>
> The problem is: If you want to mirror complete traffic you need two
> sniffing ethernet cards. One card for the traffic from host A -> B
> and one for the reverse direction B -> A. In full duplex mode both
> direction can send at maximum speed. So to catch all data you need
> two ethernet cards.

These are very good products and most people
don't realize they split the full duplex conversation.   Unifying
their input so that different snort could do both portions of the
conversation would be a useful todo.

The linux "all" interface stuff isn't really ideal either because
you'll still want to have the management subnet.
-- 
Chris Green <cmg at ...81...>
I've had a perfectly wonderful evening. But this wasn't it.
     -- Groucho Marx




More information about the Snort-devel mailing list