[Snort-users] Home-made ethernet TAP

Nicholas Bachmann nbachmann at ...9372...
Tue Aug 19 05:12:11 EDT 2003


Frank Knobbe wrote:

>On Mon, 2003-08-18 at 23:42, Ryan B. Lynch wrote:
>  
>
>>So here's the question:  this took me ~20 minutes and $10 worth of parts 
>>to gin up.  Why the heck do ethernet TAPs cost $400 and up?  I've STFW'd 
>>and asked everyone I know who works with Ethernet, but no-one had ever 
>>heard of a working homebrew TAP like this.  Am I just using the wrong 
>>keywords?
>>    
>>
>
>Must be. Some time ago I played with a cable which ended up in the Snort
>FAQ as the Read-only cable. There is a similar RO cable with a capacitor
>inline (to scramble the send signal) on the Internet. AUI connectors
>with the send line cut is another. I also made a cable that split into
>two pairs, one for each direction (like your cable). The drawback is
>that you would need to combine the traffic flow. Using two NICs like you
>have would work, using a buffered switch might be another approach. A
>
But if you use a swich, wouldn't the packets not be forwarded, since the 
L2 forwarding table of the switch wouldn't have the sensor's MAC, and 
the sensor wouldn't respond to an ARP request?

Some cheap switches may then just act as a repeater, but you probably 
have to be careful with what you buy... right?

-- 
	Regards,
	Nick

	Nicholas Bachmann, SSCP
	Technology Department
	Davison Community Schools









More information about the Snort-users mailing list