[Snort-users] Ethernet Tap
craigp at ...9278...
Fri Aug 13 11:57:02 EDT 2004
Frank Knobbe wrote:
>On Fri, 2004-08-13 at 13:31, STEVE MAKOUSKY wrote:
>>If not is it easy enough to start snort on two nics and log to the
>>same database and
>>handle packet reconstruction that way????
>Uhm... no. Who would be doing the reconstruction? Snort isn't, the
>Sorry, if you want to sniff a single data stream on two NICS
>(split-tap), you would need to configure these NICs in bridge-mode, or
>somehow else have the OS treat both NICs as a single NIC.
Though you (well, Steve anyway) might be able to have his OS do the
recombination for him. I'm not sure how easy/feasible it is on other
platforms, but we use half-duplex NICs combined into a single
full-duplex virtual device using Linux channel bonding. Snort runs
against the bonded device, and sees a full-duplex stream.
More information about the Snort-users