[Snort-users] Passive Tap Help

Frank Knobbe frank at ...9761...
Mon Dec 1 07:51:03 EST 2003


On Mon, 2003-12-01 at 09:21, Peters, Michael D. wrote:
> http://www.snort.org/docs/100Mb_tapping1.pdf is the picture I am
> referencing. I am looking to decipher the exact pin out of the 100Mb copper
> tap. It looks like I would have 4 - RJ45 Ethernet jacks in the tap.
> 
> I guess I am looking for an "Ethernet Tap for Dummies" version that includes
> the wiring pin out for all 4 jacks.

I see. This should be wired like this (theoreticall, I haven't tried this particular wiring):

1 ---*----------- 1
2 ---|-*--------- 2
3 ---|-|---*----- 3
4 ---|-|---|----- 4
5 ---|-|---|----- 5
6 ---|-|---|-*--- 6
7 ---|-|---|-|--- 7
8 ---|-|---|-|--- 8
     | |   | | 
     | |   | |
     1 2   1 2

The pins on the hub appear not to be used. Most likely the hub won't
show a link. (That's the reason my cable loops pin 1 and 2, to fake a
link).

For reference, pins 1 and 2 are SEND lines from a device point of view
(and RECEIVE lines into a hub/switch). Pins 3 and 6 are RECEIVE lines
from a device point of view. 

Both streams are fed from the cable into the hub (on it's RECEIVE
lines). Keep in mind that if you monitor a full-duplex connection you
will encounter packet loss due to collisions. You either need to force
half-duplex on your monitored connection, or use some switch that can
guarantee buffering and reassembly of the packets.

Enjoy,
Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20031201/1dde8201/attachment.sig>


More information about the Snort-users mailing list