[Snort-users] Ethernet Tap

Matt Kettler mkettler at ...4108...
Thu Apr 15 11:19:06 EDT 2004

At 11:13 AM 4/15/2004, Altrock, Jens wrote:
>I am searching for a possibility of constructing an ethernet tap, but not
>like the one found on the snort website
>where I need to attach two network cards to inspect the whole traffic, but
>one using one port for a full
>duplex line. Is that possible and does anyone have some links concerning
>this topic? Would be nice.

In short, you can't do such a bi-directonal tap into a single ethenet port 
in a simple way. Such a tap cannot be done in a passive manner and must be 
a buffered system with memory, and have a lot of electronics.. It would be 
much cheaper to spend the money on a manageable switch with span port 

Think about it. You want to feed 100mbit/sec outbound AND 100mbit/sec 
inbound into a single 100mbit/sec ethernet port. Sorry, you can't do that 
just by soldering a few wires together.

The simple cheap passive tap is simple and cheap because it relies on the 
fact that you can feed a single 100mbit/sec stream into a 100mbit/sec port 
pretty easily. So you just dump the inbound into one port, the outbound 
into another. Poof, instant passive tap, but it requires 2 ethernet cards.

