[Snort-users] Can anyone recommend an ethernet tap?

Chris Green cmg at ...671...
Wed Oct 6 06:33:08 EDT 2004

Martin Olsson <elof at ...6680...> writes:

> I want to buy an ethernet tap where snort will listen.
> A----Tap----B
>       |
>    Sniffer
> Criteria:
> * 100Mbps
> * full duplex (not a hub then)
> * the throughput between A and B should be almost the same as using a
>   X-patch cable
> * the sniffer port should see both directions of the traffic (if A and B
>   generate more than 100Mbps together, start dropping packets), I do not
>   want two sniffer ports where one see A->B and the other B->A, I just
>   want one port that mirror B<->B

That contradicts the previous two requirements since you'll have the
potential for 200Mbps of traffic or simultaneous transmits.  It's an
easier problem to solve sniffing with 2 cards to combine both sides
again ( google for "snort bond0").  To solve that problem any other
way requires a lot more sophisticated circuitry which gets you out of
the cheap solution you're looking for.

You will want either a NetOptics or Finisar tap. Go for whatever one
is cheaper.

On the very high end ($$$), there are the toplayer IDS load balancers
that allow you to plop flows between devices as you need and could
provide the backend logic to merge things back together but that will
set you back a pretty penny.  I just recently got a chance to see one
of them in action as was pretty impressed with the capabilities.
Chris Green <cmg at ...1121...>
"Yeah, but you're taking the universe out of context."

More information about the Snort-users mailing list