[Snort-users] Ethernet Tap
mkettler at ...4108...
Fri Aug 13 12:16:07 EDT 2004
At 02:31 PM 8/13/2004, STEVE MAKOUSKY wrote:
>Has anyone had any luck using the tap that is described in the Doc area?
I've not used that particular tap, but looking at it the tap should work
>Is there any instructions out there for building a full duplex tap?
A full-duplex single-port tap, by it's very nature, is going to have to
contain a considerable amount of electronics, and cannot be a passive
device. You can't funnel two 100mbit streams into a single 100mbit port
without some packet buffering, re-ordering, etc, so it's going to have to
have onboard memory, etc.
I'd suggest buying a managed switch with a span port, it's much easier and
cheaper than trying this route, or try the interface bonding trick
>If not is it easy enough to start snort on two nics and log to the same
>handle packet reconstruction that way????
Actually, rather than try to sniff two interfaces, most people create a
bonded interface that combines the two, and run snort on that. Recent
versions of Linux and *BSD support interface bonding in the kernel.
More information about the Snort-users