[Snort-users] Ethernet Tap

Craig Paterson craigp at ...9278...
Fri Aug 13 11:57:02 EDT 2004

Frank Knobbe wrote:

>On Fri, 2004-08-13 at 13:31, STEVE MAKOUSKY wrote:
>>If not is it easy enough to start snort on two nics and log to the
>>same database and 
>>handle packet reconstruction that way????
>Uhm... no. Who would be doing the reconstruction? Snort isn't, the
>database isn't.
>Sorry, if you want to sniff a single data stream on two NICS
>(split-tap), you would need to configure these NICs in bridge-mode, or
>somehow else have the OS treat both NICs as a single NIC.

Though you (well, Steve anyway) might be able to have his OS do the 
recombination for him. I'm not sure how easy/feasible it is on other 
platforms, but we use half-duplex NICs combined into a single 
full-duplex virtual device using Linux channel bonding. Snort runs 
against the bonded device, and sees a full-duplex stream.


