[Snort-users] snort and network tap

Jeff Nathan jeff at ...950...
Thu Oct 17 13:22:04 EDT 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Peter,

your finisar, formerly shomiti, network tap will split the transmit pair 
from either side of a connection into its own port.

I've made an attempt to illustrate this here:
http://www.snort.org/docs/100Mb_tapping1.pdf

Connecting the two tap ports to a hub would hypothetically work in that 
each Ethernet frame received is broadcast to all ports.  Imagining that the 
tap connected to the hub would use two ports on the hub with a third port 
connected to an interface on a system running snort, you would see both 
sides of the connection.

In the context of TCP stream reassembly, it's basically essential that you 
see both sides of a connection otherwise stream reassembly is much less 
effective and nearly impossiible.

One method of using a tap is illustrated in the aforementioned pdf, where 
the two tap ports are connected to a switch.  The two ports on the switch 
are then  set-up to copy all the Ethernet frames they receive to a third 
port, usually called a SPAN port in Cisco nomenclature.  If the SPAN port 
is also 100Mb, this port can be saturated with traffic as a full-duplex 
100Mb Ethernet connection can transmit 100Mb in *each direction*. 
Alternatively, you could use a Gigabit interface for your SPAN port and 
hypothetically avoid any port saturation issues:

http://www.snort.org/docs/100Mb_tapping2.pdf

Another method, described in the archives of this mailing list, involves 
using interface bonding or bridging.  Depending on your Operating System, 
you can combine two interfaces into a third "virtual" interface which you 
could then use for snort's packet capture (you would specify this interface 
using the -i command line switch).  Depending on your Operating System and 
environment, this might work well although this approach has not yet been 
well tested to my knowledge.

Good luck.

- -Jeff


- --On Wednesday, October 16, 2002 12:06:34 -0500 Peter Erickson 
<redlamb at ...7185...> wrote:

> I am in the process of attaching snort to a network and am not too sure
> on how to attach it with the network tap that I have. I have the Finisar
> UTP IL/1. I have been told to connect the 2 tap ports on the Network Tap
> to a hub and then connect the snort machine to the hub, but after reading
> some articles on the Snort-Users archive, I heard that I wil lose too
> many packets due to collisions and that this would not be a good choice.
> I also read on the snort FAQ that I can not run 1 instance of snort to
> monitor 2 interfaces, so I guess that is not too good of an options
> either. I am just wondering what the best way to connect my snort machine
> to the network using the network tap that I have. Thanks in advance.
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by: viaVerio will pay you up to
> $1,000 for every account that you consolidate with us.
> http://ad.doubleclick.net/clk;4749864;7604308;v?
> http://www.viaverio.com/consolidator/osdn.cfm
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


- --
http://www.snort.org/~jeff       (pgp key available)
"Great spirits have always encountered violent opposition from mediocre
minds."
- - Albert Einstein
    
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (OpenBSD)

iD8DBQE9rxtpEqr8+Gkj0/0RAuyOAJ9xo7nAl7wQNvSBMFphZlJe4M1ZNgCfWnGo
5KPBlEWOA8ufRA8zfKztX2A=
=9NF6
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list