[Snort-users] Passive Tap Help

Frank Knobbe frank at ...9761...
Mon Dec 1 08:03:03 EST 2003


On Mon, 2003-12-01 at 09:50, Frank Knobbe wrote:
> For reference, pins 1 and 2 are SEND lines from a device point of view
> (and RECEIVE lines into a hub/switch). Pins 3 and 6 are RECEIVE lines
> from a device point of view. 
> 
> Both streams are fed from the cable into the hub (on it's RECEIVE
> lines). 

BTW: Keep in mind that you can probably not just tack those "tap" lines
into the other cable with a simple solder joint and run it into a third
cable segment. You will mess up the dynamics of this cable to the point
where you will probably loose data. Taps use electronics to get around
that. Three-forked cable have some interesting dynamic properties.
Reflection and resonance and such are way different and on a single
strand of wire.

So for home made stuff, I suggest one of the two (or three) read-only
cables. In theory they move the hub to the top of the drawing and use a
single munged cable to feed the IDS. The hub with its electronics will
ensure a clean "tap" into the sniffed segment.

Cheers,
Frank
 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20031201/1b94cce3/attachment.sig>


More information about the Snort-users mailing list