[Snort-users] snort and network tap
jeff at ...950...
Thu Oct 17 13:22:04 EDT 2002
-----BEGIN PGP SIGNED MESSAGE-----
your finisar, formerly shomiti, network tap will split the transmit pair
from either side of a connection into its own port.
I've made an attempt to illustrate this here:
Connecting the two tap ports to a hub would hypothetically work in that
each Ethernet frame received is broadcast to all ports. Imagining that the
tap connected to the hub would use two ports on the hub with a third port
connected to an interface on a system running snort, you would see both
sides of the connection.
In the context of TCP stream reassembly, it's basically essential that you
see both sides of a connection otherwise stream reassembly is much less
effective and nearly impossiible.
One method of using a tap is illustrated in the aforementioned pdf, where
the two tap ports are connected to a switch. The two ports on the switch
are then set-up to copy all the Ethernet frames they receive to a third
port, usually called a SPAN port in Cisco nomenclature. If the SPAN port
is also 100Mb, this port can be saturated with traffic as a full-duplex
100Mb Ethernet connection can transmit 100Mb in *each direction*.
Alternatively, you could use a Gigabit interface for your SPAN port and
hypothetically avoid any port saturation issues:
Another method, described in the archives of this mailing list, involves
using interface bonding or bridging. Depending on your Operating System,
you can combine two interfaces into a third "virtual" interface which you
could then use for snort's packet capture (you would specify this interface
using the -i command line switch). Depending on your Operating System and
environment, this might work well although this approach has not yet been
well tested to my knowledge.
- --On Wednesday, October 16, 2002 12:06:34 -0500 Peter Erickson
<redlamb at ...7185...> wrote:
> I am in the process of attaching snort to a network and am not too sure
> on how to attach it with the network tap that I have. I have the Finisar
> UTP IL/1. I have been told to connect the 2 tap ports on the Network Tap
> to a hub and then connect the snort machine to the hub, but after reading
> some articles on the Snort-Users archive, I heard that I wil lose too
> many packets due to collisions and that this would not be a good choice.
> I also read on the snort FAQ that I can not run 1 instance of snort to
> monitor 2 interfaces, so I guess that is not too good of an options
> either. I am just wondering what the best way to connect my snort machine
> to the network using the network tap that I have. Thanks in advance.
> This sf.net email is sponsored by: viaVerio will pay you up to
> $1,000 for every account that you consolidate with us.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
http://www.snort.org/~jeff (pgp key available)
"Great spirits have always encountered violent opposition from mediocre
- - Albert Einstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (OpenBSD)
-----END PGP SIGNATURE-----
More information about the Snort-users