[Snort-users] Passive Tap Help

Jeff Nathan jeff at ...950...
Mon Dec 1 09:48:05 EST 2003


counter.spy at ...348... once sent this to me... it might help you out.

(Attached)

-Jeff
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Ethertap_v_en.jpg
Type: image/jpeg
Size: 149667 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20031201/d003253d/attachment.jpg>
-------------- next part --------------

On Dec 1, 2003, at 11:17 AM, kenw at ...10492... wrote:

> On Mon, 1 Dec 2003 10:21:53 -0500, you wrote:
>
>> http://www.snort.org/docs/100Mb_tapping1.pdf is the picture I am
>> referencing. I am looking to decipher the exact pin out of the 100Mb 
>> copper
>> tap. It looks like I would have 4 - RJ45 Ethernet jacks in the tap.
>
> Yup.
>
>> I guess I am looking for an "Ethernet Tap for Dummies" version that 
>> includes
>> the wiring pin out for all 4 jacks.
>>
>> Best regards,
>> Michael D. Peters
>
> That diagram is interesting.  Essentially, what it does is take both 
> sides
> of a Cat 5 cable and feed them into separate RX lines on two ports of a
> switch, and then use the switch's spanned port to "see" them both at 
> once.
>
> Pin numbers on it could have helped, but you can look at any Ethernet 
> RJ45
> pinout diagram for them.  I recommend it for educational value.  Just
> remember to match polarities.
>
> Note that the "copper tap" may appear to constitute a crossover 
> connection
> on the full duplex lines, but it doesn't.  TX stays TX, RX stays RX.  
> The
> crossover occurs when one FDX TX line goes the a switch's RX lines.
>
> You could even build a box with no crossovers at all, and use a 
> crossover
> cable on one of the switch ports.
>
> So far as I can see, this is a lot of trouble and expense (low-cost
> switches with port spannning are rare) to go to when you could do 
> nearly
> all of it with a cheap hub.  The tap's claim to fame is that it passes 
> full
> duplex while monitoring both ways, by funneling two Ethernet lines into
> one; it relies on the spanned port's buffering to avoid dropping 
> packets.
> A hub would accomplish the same net result by disabling full-duplex on 
> the
> tapped line, but that's usually a minor issue, very unlikely to be 
> noticed
> on all but the busiest links.
>
> /kenw
>
> Ken Wallewein CDP,CNE,MCSE,CCA,CCNA
> K&M Systems Integration
> Phone (403)274-7848
> Fax   (403)275-4535
> kenw at ...10492...
> www.kmsi.net
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: SF.net Giveback Program.
> Does SourceForge.net help you be more productive?  Does it
> help you create better code?  SHARE THE LOVE, and help us help
> YOU!  Click Here: http://sourceforge.net/donate/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>

--
http://cerberus.sourcefire.com/~jeff       (gpg/pgp key id 6923D3FD)
"Problems cannot be solved at the same level of awareness that
created them."   - Albert Einstein

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20031201/d003253d/attachment.sig>


More information about the Snort-users mailing list