[Snort-users] Ethernet Tap

Sean Lazar slazar at ...9944...
Thu Apr 15 11:51:07 EDT 2004


Jens,

The reason for a two card setup with a tap is to physically prevent your 
IDS from ever transmitting. On an ethernet port with 10/100BaseT there 
is one pair of wires for transmitting(TX) and one pair for 
recieving(RX). They use two network cards and the pairs are connected to 
each card's RX pairs. The TX pairs are never connected and so they 
physically cannot transmit anything. What you ask is not possible 
because a TX pair on a card cannot be made to recieve.

Some alternatives are to use a 100 speed hub and sniff off of that, or 
if you have a managed switch manage the port to 100/half duplex and 
setup port mirroring and attach your IDS to the mirrored port. These 
alternatives are viable if you don't really use all of your 100/full duplex.

Cheers,
Sean

Altrock, Jens wrote:

>Hi there!
>
>I am searching for a possibility of constructing an ethernet tap, but not
>like the one found on the snort website
>where I need to attach two network cards to inspect the whole traffic, but
>one using one port for a full 
>duplex line. Is that possible and does anyone have some links concerning
>this topic? Would be nice.
>
>Regards,
>
>Jens Altrock
>###########################################
>Diese Nachricht wurde von F-Secure Anti-Virus gescannt.
>
>This message has been scanned by F-Secure Anti-Virus.
>
>
>
>-------------------------------------------------------
>This SF.Net email is sponsored by: IBM Linux Tutorials
>Free Linux tutorial presented by Daniel Robbins, President and CEO of
>GenToo technologies. Learn everything from fundamentals to system
>administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>  
>




More information about the Snort-users mailing list