[Snort-users] Ethernet Tap

Craig Paterson craigp at ...9278...
Fri Aug 13 11:57:02 EDT 2004


Frank Knobbe wrote:

>On Fri, 2004-08-13 at 13:31, STEVE MAKOUSKY wrote:
>  
>
>>If not is it easy enough to start snort on two nics and log to the
>>same database and 
>>handle packet reconstruction that way????
>>    
>>
>
>Uhm... no. Who would be doing the reconstruction? Snort isn't, the
>database isn't.
>
>Sorry, if you want to sniff a single data stream on two NICS
>(split-tap), you would need to configure these NICs in bridge-mode, or
>somehow else have the OS treat both NICs as a single NIC.
>  
>

Though you (well, Steve anyway) might be able to have his OS do the 
recombination for him. I'm not sure how easy/feasible it is on other 
platforms, but we use half-duplex NICs combined into a single 
full-duplex virtual device using Linux channel bonding. Snort runs 
against the bonded device, and sees a full-duplex stream.

Craig.




More information about the Snort-users mailing list