[Snort-users] Tap question

Erek Adams erek at ...950...
Thu Jan 30 11:42:02 EST 2003


On Thu, 30 Jan 2003, Mike Shaw wrote:

> I'm evaluating a move from span ports to taps this year, and I've been
> looking at these:
>
> http://www.netoptics.com/10-100-tap.html
>
> It looks like in order to do this I will need two nics to effectively
> monitor a network: one for incoming packets and one for outgoing.  Is this
> correct?  (if this is covered in a prior post or FAQ, please slap me down
> and I'll look it up)

Have a look at the IDS deployment guides:

	http://www.snort.org/docs/#deploy

Taps usually split the ether stream into two streams.  One is TX and the
other is RX.  You will need two nics to be able to really deal with that.
If you're on a Linux 2.4+ kernel you should be able to use the bonding
patches (http://bonding.sf.net), if on *BSD you should be able to use
bridging, and if on Solaris--I think!--you could use trunking (Sun
software) to combine the two streams into one.

Hope that helps!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-users mailing list