[Snort-users] Passive Tap Help

Lists echo at ...9803...
Mon Dec 1 09:00:10 EST 2003


On Mon, 2003-12-01 at 10:50, Frank Knobbe wrote:
> On Mon, 2003-12-01 at 09:21, Peters, Michael D. wrote:
> > http://www.snort.org/docs/100Mb_tapping1.pdf is the picture I am
> > referencing. I am looking to decipher the exact pin out of the 100Mb copper
> > tap. It looks like I would have 4 - RJ45 Ethernet jacks in the tap.
...
> 
> Both streams are fed from the cable into the hub (on it's RECEIVE
> lines). Keep in mind that if you monitor a full-duplex connection you
> will encounter packet loss due to collisions. You either need to force
> half-duplex on your monitored connection, or use some switch that can
> guarantee buffering and reassembly of the packets.
...

It may be worth replacing the "switch/spanned port" section with a
second "sniffing interface" to the sensor.  i.e.  One interface sniffs
incomming, the other sniffs outgoing.

I haven't tried this but I expect it could resolve the collision issue
mentioned above. Also, a second NIC would most likely be cheaper and
easier to find than a switch that can be configured as required.

Would anyone with more snort experience care to comment on this? i.e.
Does this break any of the preprocessors?  What impact would it have on
performance?

  - Paul Beltrani






More information about the Snort-users mailing list