[Snort-users] snort and network tap

Peter Erickson redlamb at ...7185...
Wed Oct 16 17:31:04 EDT 2002

Im sorry, i didnt even think about stating the OS of the snort machine. I am running Snort 1.9.0 on a FreeBSD 4.6 machine. Does that OS also have 'channel bonding' abilities?

On Thu, Oct 17, 2002 at 01:29:18AM +0800, Michael Boman said:
> Hash: SHA1
> On Thursday 17 October 2002 01:06, Peter Erickson wrote:
> > I am in the process of attaching snort to a network and am not too sure on
> > how to attach it with the network tap that I have. I have the Finisar UTP
> > IL/1. I have been told to connect the 2 tap ports on the Network Tap to a
> > hub and then connect the snort machine to the hub, but after reading some
> > articles on the Snort-Users archive, I heard that I wil lose too many
> > packets due to collisions and that this would not be a good choice. I also
> > read on the snort FAQ that I can not run 1 instance of snort to monitor 2
> > interfaces, so I guess that is not too good of an options either. I am just
> > wondering what the best way to connect my snort machine to the network
> > using the network tap that I have. Thanks in advance.
> If you are running Linux I recommend you to investigate the 'channel bonding' 
> features in the kernel. I don't know how other OS do the same thing. One 
> alternative is to use '-i any' or run two instances of snort. Best way is to 
> combine them with channel bonding thought.
> Best regards
>  Michael Boman
> - -- 
> Michael Boman
> Security Architect, SecureCiRT (A SBU of Z-Vance Pte Ltd)
> http://www.securecirt.com
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
> iD8DBQE9raH0ds5fQJiraJwRAqm6AJ4tWNanVu9zKZynJfXVR5pKYojdAgCgnOLf
> w3bWsXgclu8dhKKr9VnVLDQ=
> =t+kI

Peter Erickson
redlamb at ...7185...

More information about the Snort-users mailing list