[Snort-users] Ethernet Tap
mkettler at ...4108...
Thu Apr 15 11:19:06 EDT 2004
At 11:13 AM 4/15/2004, Altrock, Jens wrote:
>I am searching for a possibility of constructing an ethernet tap, but not
>like the one found on the snort website
>where I need to attach two network cards to inspect the whole traffic, but
>one using one port for a full
>duplex line. Is that possible and does anyone have some links concerning
>this topic? Would be nice.
In short, you can't do such a bi-directonal tap into a single ethenet port
in a simple way. Such a tap cannot be done in a passive manner and must be
a buffered system with memory, and have a lot of electronics.. It would be
much cheaper to spend the money on a manageable switch with span port
Think about it. You want to feed 100mbit/sec outbound AND 100mbit/sec
inbound into a single 100mbit/sec ethernet port. Sorry, you can't do that
just by soldering a few wires together.
The simple cheap passive tap is simple and cheap because it relies on the
fact that you can feed a single 100mbit/sec stream into a 100mbit/sec port
pretty easily. So you just dump the inbound into one port, the outbound
into another. Poof, instant passive tap, but it requires 2 ethernet cards.
More information about the Snort-users