[Snort-users] Tap question
erek at ...950...
Thu Jan 30 11:42:02 EST 2003
On Thu, 30 Jan 2003, Mike Shaw wrote:
> I'm evaluating a move from span ports to taps this year, and I've been
> looking at these:
> It looks like in order to do this I will need two nics to effectively
> monitor a network: one for incoming packets and one for outgoing. Is this
> correct? (if this is covered in a prior post or FAQ, please slap me down
> and I'll look it up)
Have a look at the IDS deployment guides:
Taps usually split the ether stream into two streams. One is TX and the
other is RX. You will need two nics to be able to really deal with that.
If you're on a Linux 2.4+ kernel you should be able to use the bonding
patches (http://bonding.sf.net), if on *BSD you should be able to use
bridging, and if on Solaris--I think!--you could use trunking (Sun
software) to combine the two streams into one.
Hope that helps!
"When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-users