[Snort-users] Passive Tap Help

Frank Knobbe frank at ...9761...
Mon Dec 1 09:50:06 EST 2003


On Mon, 2003-12-01 at 10:58, Lists wrote:
> It may be worth replacing the "switch/spanned port" section with a
> second "sniffing interface" to the sensor.  i.e.  One interface sniffs
> incomming, the other sniffs outgoing.
> 
> I haven't tried this but I expect it could resolve the collision issue
> mentioned above. Also, a second NIC would most likely be cheaper and
> easier to find than a switch that can be configured as required.
> 
> Would anyone with more snort experience care to comment on this? i.e.
> Does this break any of the preprocessors?  What impact would it have on
> performance?

Yup, that's been advertised as a solution. I like to see some comments
from folks using it as well.

But you need to be clearer on the second interface solution. It is
possible to use a second NIC and have two pcaps running and the IDS
reassembling the data itself. Or you can have two NICs set up as a
bonded/joined interface where the OS does the reassembling and a single
instance of pcap and IDS runs over the traffic.

My guess on performance is that 1) produces an unneeded overhead that
can be save with 2). Since there is only a single instance of pcap/IDS,
it shouldn't impact performance at all.

Later,
Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20031201/43f47bda/attachment.sig>


More information about the Snort-users mailing list