[Snort-users] Ethernet Tap

TKaroutsos at ...12252... TKaroutsos at ...12252...
Fri Aug 13 12:43:07 EDT 2004





What about this?

http://www.netoptics.com/products/product_family_details.asp?cid=1&pid=3&Section=products&menuitem=1

It costs about $1000. US




                                                                                                                                                   
                      Matt Kettler                                                                                                                 
                      <mkettler at ...4108...>              To:       "STEVE MAKOUSKY" <SMAKOUS1 at ...12264...>, <snort-users at lists.sourceforge.net>  
                      Sent by:                            cc:                                                                                      
                      snort-users-admin at ...4626...        Subject:  Re: [Snort-users] Ethernet Tap                                                 
                      ceforge.net                                                                                                                  
                                                                                                                                                   
                                                                                                                                                   
                      08/13/2004 12:15                                                                                                             
                                                                                                                                                   
                                                                                                                                                   




At 02:31 PM 8/13/2004, STEVE MAKOUSKY wrote:
>Has anyone had any luck using the tap that is described in the Doc area?

I've not used that particular tap, but looking at it the tap should work
correctly.


>
>Is there any instructions out there for building a full duplex tap?

A full-duplex single-port tap, by it's very nature, is going to have to
contain a considerable amount of electronics, and cannot be a passive
device. You can't funnel two 100mbit streams into a single 100mbit port
without some packet buffering, re-ordering, etc, so it's going to have to
have onboard memory, etc.

I'd suggest buying a managed switch with a span port, it's much easier and
cheaper than trying this route, or try the interface bonding trick
mentioned below.



>If not is it easy enough to start snort on two nics and log to the same
>database and
>handle packet reconstruction that way????

Actually, rather than try to sniff two interfaces, most people create a
bonded interface that combines the two, and run snort on that. Recent
versions of Linux and *BSD support interface bonding in the kernel.

ie:
http://www.redhat.com/docs/manuals/enterprise/RHEL-3-Manual/ref-guide/s1-networkscripts-interfaces.html#S2-NETWORKSCRIPTS-INTERFACES-CHAN




-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users







More information about the Snort-users mailing list