[Snort-users] Ethernet Tap

Matt Kettler mkettler at ...4108...
Fri Aug 13 12:16:07 EDT 2004


At 02:31 PM 8/13/2004, STEVE MAKOUSKY wrote:
>Has anyone had any luck using the tap that is described in the Doc area?

I've not used that particular tap, but looking at it the tap should work 
correctly.


>
>Is there any instructions out there for building a full duplex tap?

A full-duplex single-port tap, by it's very nature, is going to have to 
contain a considerable amount of electronics, and cannot be a passive 
device. You can't funnel two 100mbit streams into a single 100mbit port 
without some packet buffering, re-ordering, etc, so it's going to have to 
have onboard memory, etc.

I'd suggest buying a managed switch with a span port, it's much easier and 
cheaper than trying this route, or try the interface bonding trick 
mentioned below.



>If not is it easy enough to start snort on two nics and log to the same 
>database and
>handle packet reconstruction that way????

Actually, rather than try to sniff two interfaces, most people create a 
bonded interface that combines the two, and run snort on that. Recent 
versions of Linux and *BSD support interface bonding in the kernel.

ie:
http://www.redhat.com/docs/manuals/enterprise/RHEL-3-Manual/ref-guide/s1-networkscripts-interfaces.html#S2-NETWORKSCRIPTS-INTERFACES-CHAN





More information about the Snort-users mailing list