[Snort-users] Taps

Jeff Nathan jeff at ...950...
Wed Aug 25 10:42:11 EDT 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Aug 25, 2004, at 8:44 AM, Paul Halliday wrote:

> I am currently using this tap:
>
> http://www.snort.org/docs/tap/
>
> This tap sits between a cisco catalyst switch and a 2600 router. The
> link is full duplex and I am only capturing traffic on one of the
> ports on the tap. I have tried a cable in the other port and I dont
> get a link light. I have double checked the construction and
> everything seems to be as per the documentation. Has anyone else
> managed to get both streams with the use of this tap?
>
> Also, looking at:
>
> http://www.snort.org/docs/100Mb_tapping1.pdf
>
> Would this be the better way to go? Is the item in the top left of
> this picture the same as the above tap? And the use of the switch is
> simply to combine the two streams?
> I have looked at purchasing a real tap from Securicore Inc that
> combines both streams into one on its own but they want 1300 CAD for
> one of these which is not really in our budget atm.
>
> What, if any, are my other options? -or- What have I missed on the  
> construction.
>
> Thanks.
>
> --  
> _________________
> Paul Halliday
> http://dp.penix.org
>
> "Diplomacy is the art of saying "Nice doggie!" till you can find a  
> rock."

Hi Paul,

I'd do what Sandro Poppi suggested and try a crossover cable.  I've  
never tried to build my own passive Ethernet tap, so I can't offer much  
on the topic.  The diagram is wonderfully clear, however (nice job  
Michael).

The tap pictured in the 100Mb_tapping1 diagram is functionally the same  
in that it splits the tx and rx into separate interfaces.  It  
represents a commercial tap.  You're correct, the switch is there to  
recombine the tx and rx pair.

Netoptics sells a tap that recombines the tx and rx pair called an  
aggregator tap.  I've had positive experiences with netopics products.   
Take a look at their website:

http://www.netoptics.com/products/product_family_details.asp? 
cid=1&pid=3&Section=products&menuitem=1


- -Jeff

- --
Custom packets with little to no money down.
http://nemesis.sourceforge.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFBLM9OEqr8+Gkj0/0RAiWWAJ9+SFRsJLbFh/dDLvNeatEvTs9fUwCfdTLb
PMbPKN376r3YzK8kBCr5bqM=
=3Hae
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list