[Snort-users] Ethernet Tap

Matt Kettler mkettler at ...4108...
Fri Aug 13 12:16:07 EDT 2004

At 02:31 PM 8/13/2004, STEVE MAKOUSKY wrote:
>Has anyone had any luck using the tap that is described in the Doc area?

I've not used that particular tap, but looking at it the tap should work 

>Is there any instructions out there for building a full duplex tap?

A full-duplex single-port tap, by it's very nature, is going to have to 
contain a considerable amount of electronics, and cannot be a passive 
device. You can't funnel two 100mbit streams into a single 100mbit port 
without some packet buffering, re-ordering, etc, so it's going to have to 
have onboard memory, etc.

I'd suggest buying a managed switch with a span port, it's much easier and 
cheaper than trying this route, or try the interface bonding trick 
mentioned below.

>If not is it easy enough to start snort on two nics and log to the same 
>database and
>handle packet reconstruction that way????

Actually, rather than try to sniff two interfaces, most people create a 
bonded interface that combines the two, and run snort on that. Recent 
versions of Linux and *BSD support interface bonding in the kernel.


