AW: [Snort-users] Ethernet Tap

Altrock, Jens Jens.Altrock at ...9749...
Fri Apr 16 05:48:24 EDT 2004


First thanks for the answers, and sorry for another dumb question. :-/
I thought about that this thing isn't working that way, but there is
anyway a problem concerning that two port solution. I'd need a software that
reassembles the network traffic in a way right? For I need both lines 
(TX and RX) to analyze "special" or more complex attacks. So is there any
affordable software that does that? Or is there any solution for that 
problem?

Regards,

Jens Altrock

-----Ursprüngliche Nachricht-----
Von: Matt Kettler [mailto:mkettler at ...4108...]
Gesendet: Donnerstag, 15. April 2004 20:18
An: Altrock, Jens; Snort-Users (E-Mail)
Betreff: Re: [Snort-users] Ethernet Tap


At 11:13 AM 4/15/2004, Altrock, Jens wrote:
>I am searching for a possibility of constructing an ethernet tap, but not
>like the one found on the snort website
>where I need to attach two network cards to inspect the whole traffic, but
>one using one port for a full
>duplex line. Is that possible and does anyone have some links concerning
>this topic? Would be nice.

In short, you can't do such a bi-directonal tap into a single ethenet port 
in a simple way. Such a tap cannot be done in a passive manner and must be 
a buffered system with memory, and have a lot of electronics.. It would be 
much cheaper to spend the money on a manageable switch with span port 
capability.


Think about it. You want to feed 100mbit/sec outbound AND 100mbit/sec 
inbound into a single 100mbit/sec ethernet port. Sorry, you can't do that 
just by soldering a few wires together.

The simple cheap passive tap is simple and cheap because it relies on the 
fact that you can feed a single 100mbit/sec stream into a 100mbit/sec port 
pretty easily. So you just dump the inbound into one port, the outbound 
into another. Poof, instant passive tap, but it requires 2 ethernet cards.
###########################################
Diese Nachricht wurde von F-Secure Anti-Virus gescannt.

This message has been scanned by F-Secure Anti-Virus.





More information about the Snort-users mailing list