[Snort-users] Taps and 10/100 hubs

Bamm Visscher bamm.visscher at ...11827...
Wed Aug 25 16:24:07 EDT 2004


The intelligent bridge is between 10MB and 100MB traffic.  Since your
IDS nic is 100MB, it will never see the 10MB traffic being sent to the
hub (unless your nic can be forced down to 10MB). Even if you can
force the nic to negotiate down to 10MB, every time you see that
collision light on the hub go blinky-blink, another packet will be
lost to /dev/null, never to be seen again (and since the router/switch
passed the packet on w/o problems, don't expect a retransmit). On the
positive side, your perf stats will rock ;)

My suggestion would be to take that hub (or better yet get the 10MB
only version EN104TP) and put it between the switch and router, and
sniff the traffic that way.

Bammkkkk

On Wed, 25 Aug 2004 15:56:55 -0600, Mike Lieberman <mike at ...12324...> wrote:
> We are still working out how we will deploying our first IDS server. In all
> the scenarios discussed, I didn't see the following:
> 
> Using the passive tap documented in http://www.snort.org/docs/tap/
> 
> Router <----------------[passive tap]------>switch
> (10Mb,Half-Duplex)    [host, A, B, Host]
>                             /   \
>                            /     \
>                           /       \
>                          /         \
>        (10Mb,Half-Duplex)           (10Mb,Half-Duplex)
>                         \           /
>                          \         /
>                           \       /
>                            \     /
>                             \   /
>                        Hub [4 PORT 10/100]
>                     [example, NETGEAR DS104]
>                               |
>                               |
>                            100Mb NIC
>                              Snort
> 
> Netgear claims the hub has an "intelligent bridge automatically manages
> network traffic..." since two half-duplex feeds are going into the hub and
> the IDS is connected via a 100Mb NIC, doesn't that solve to a significant
> extent the collission problem? Since we would only be monitoring the
> bandwith coming to and from the router at 10Mb hald-duplex, I don't see
> where we get into buffer issues.
> 
> Since I can't believe I have this right, what am I missing?
> 

-- 
http://sguil.sf.net




More information about the Snort-users mailing list